TI Evaluation of some fault-tolerant methods in microcontroller dyads for safe and high available control of electrical drives by fault injection. AU Hocenski, Z.; Martinovic, G. (Elektrotehnicki Fakultet, Osijek, Slovakia) SO Proceedings 9th EDPE. 9th International Conference Electrical Drives and Power Electronics Zagreb, Croatia: KoREMA, 1996. p.184-7 of 303 pp. 11 refs. Conference: Dubrovnik, Croatia, 9-11 Oct 1996 Sponsor(s): Ministr. Sci. & Technol.; Eur. Power Electron. & Drives Assoc.; IEEE Croatia Sect ISBN: 963-6037-19-X DT Conference Article TC Practical AB The microcontroller dyad is presented in this work. It has two operating modes: highly available mode and fail-safe mode. The evaluation of used fault tolerant methods is done by experiments using the fault injection method. The fault injection system is based on a personal computer, which controls the execution of the experiment and collects the results. The activity of the bus signals is used in calculation of the probability of the fault occurrence. The fault detection coverage is evaluated using the registered number of faults and the probability of the fault occurrence. TI Fast self-recovering controllers. AU Hertwig, A.; Hellebrand, S.; Wunderlich, H.-J. (Comput. Archit. Lab., Stuttgart Univ., Germany) SO Proceedings. 16th IEEE VLSI Test Symposium (Cat. No.98TB100231) Los Alamitos, CA, USA: IEEE Comput. Soc, 1998. p.296-302 of xxxv+472 pp. 19 refs. Conference: Monterey, CA, USA, 26-30 April 1998 Sponsor(s): IEEE Comput. Soc. Test Technol. Tech. Committee; IEEE Philadelphia Sect ISBN: 0-8186-8436-4 DT Conference Article TC Practical; Experimental AB A fast fault-tolerant controller structure is presented which is capable of recovering from transient faults by performing a rollback operation in hardware. The proposed fault-tolerant controller structure utilizes the rollback hardware also for system mode and this way achieves performance improvements of more than 50% compared to controller structures made fault tolerant by conventional techniques, while the hardware overhead is often negligible. The proposed approach is compatible with state-of-the-art methods for FSM decomposition, state encoding and logic synthesis. TI Simulation of a component-oriented voter library for dependable control applications. AU Latif-Shabgahi, G.; Bass, J.M.; Bennett, S. (Dept. of Autom. Control & Syst. Eng., Sheffield Univ., UK) SO Proceedings. 24th EUROMICRO Conference (Cat. No.98EX204) Los Alamitos, CA, USA: IEEE Comput. Soc, 1998. p.372-8 vol.1 of 2 vol. liv+1075 pp. 11 refs. Conference: Vasteras, Sweden, 25-27 Aug 1998 Sponsor(s): Sun Microsyst.; ENATOR; ABB Network Partner; Ericsson; ABB Generation; K K Stiftelsen; ABB Ind. Syst.; Malardalens Hogskola Price: CCCC 1089-6503/98/$10.00 ISBN: 0-8186-8646-4 TC Practical AB In many industrial applications, arbitration between redundant subsystems using voting algorithms is popular. Many voting strategies implemented in hardware or software have been proposed, of which majority and median voters have been widely used in real applications. Detailed analysis of voters shows that they can be considered as a combination of independent components, each performing a specific function. The simulation of a component oriented model of voters is addressed.The paper presents the simulation results of a novel component oriented voter, the smoothing voter, which combines the safety properties of the majority voter with the advantages of mid value selection strategy. This work presents a first step toward the automatic insertion and implementation of voting algorithms using a software design environment. TI Timely fault tolerance in responsive systems for distributed control. AU Snedsbol, R.; Lonn, H. (Dept. of Comput. Eng., Chalmers Univ. of Technol., Goteborg, Sweden) SO Intelligent Autonomous Control in Aerospace. A Proceedings volume from the IFAC Conference Editor(s): Liu Liangdong Oxford, UK: Pergamon, 1997. p.349-54 of x+400 pp. 8 refs. Conference: Beijing, China, 14-16 Aug 1995 Sponsor(s): IFAC; IEEE ISBN: 0-08-042373-6 TC Practical; Theoretical AB Discusses error handling and agreement problems in a small safety-critical distributed control system. Fault tolerance mechanisms are designed to have a response time that matches the dynamics of the controlled object. These are implemented as a part of the communication system with a minimal message overhead. TI Monitoring functional integrity in fault tolerant aircraft control computers for critical applications. AU Belcastro, C.M. (NASA Langley Res. Center, Hampton, VA, USA); Fischl, R. SO Proceedings of the 13th World Congress, International Federation of Automatic Control. Vol.O. Power Plants and Systems, Computer Control Editor(s): Gertler, J.J.; Cruz, J.B., Jr.; Peshkin, M.; Kummel, M.; Welfonder, E.; Motus, L.; MacLeod, I.; De La Puente, J.; Verbruggen, H.B.; Fleming, P. Oxford, UK: Pergamon, 1997. p.273-8 of xi+500 pp. 6 refs. Conference: San Francisco, CA, USA, 30 June-5 July 1996 ISBN: 0-08-042923-8 TC Application; Practical; Theoretical AB Verifying integrity of control computers in adverse operating environments is a key issue in the development, certification, and operation of critical control systems. The paper considers the problem of applying distributed detection techniques and decision fusion to monitoring the integrity of fault tolerant redundant control computers. A monitoring strategy is presented and demonstrated from glideslope engaged until flare using a detailed simulation of a quad-redundant longitudinal control system for the B737 Autoland. TI Online system upgrade on CENTUM CS FCSs. AU Ito, H.; Nishida, J.; Ohsako, S.; Yajima, H. (Ind. Autom. Syst. Bus. Div., Yokogawa Electr. Corp., Japan) SO Yokogawa Technical Report (English Edition) (June 1998) no.25, p.13-16. 1 refs. Published by: Yokogawa Electric Corp CODEN: YTREEO ISSN: 0911-8977 SICI: 0911-8977(199806)25L.13:OSUC;1-7 DT Journal TC Application; Practical CY Japan LA English AB We have developed the online system upgrade function for CENTUM CS FCSs (Field Control Stations). The control function only requires the system to pause for two seconds for upgrading. In conjunction with the existing online application data modification function, this function increases the maintainability and availability of DCSs (distributed control systems). TI Reliability modeling of hard real-time systems. AU Kim, H. (Dept. of Electr. Eng., Yonsei Univ., Seoul, South Korea); White, A.L.; Shin, K.G. SO Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224) Los Alamitos, CA, USA: IEEE Comput. Soc, 1998. p.304-13 of xx+470 pp. 13 refs. Conference: Munich, Germany, 23-25 June 1998 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Fault-Tolerant Comput.; IFIP WG 10.4 on Dependable Comput. & Fault Tolerance Price: CCCC 0731-3071/98/$10.00 ISBN: 0-8186-8470-4 DT Conference Article TC Theoretical CY United States LA English AB A hard real-time control system, such as a fly-by-wire system, fails catastrophically (e.g., lose stability) if its control input is not updated by its digital controller computer within a certain time limit called the hard deadline. To assess and validate system reliability by using a semi-Markov model that explicitly contains the deadline information, we propose a path-space approach deriving the upper and lower bounds of the probability of system failure. TI Application of dynamic reconfiguration in the design of fault tolerant production systems. AU Matos, G. (Siemens Corp. Res. Inc., Princeton, NJ, USA); White, E. SO Proceedings. Fourth International Conference on Configurable Distributed Systems (Cat. No.98EX159) Los Alamitos, CA, USA: IEEE Comput. Soc, 1998. p.2-9 of viii+233 pp. 6 refs. Conference: Annapolis, MA, USA, 4-6 May 1998 Sponsor(s): Univ. Maryland Inst. Adv. Comput. Studies Price: CCCC 0 8186 8451 8/98/$10.00 ISBN: 0-8186-8451-8 DT Conference Article TC Practical CY United States LA English AB We show how fault tolerance can be achieved in production systems with multiple identical devices using dynamic reconfiguration. Our method is based on the automated synchronization of independently designed components that makes them consistent with receptive safety properties. Automated synchronization allows us to design the components as independent controllers for individual devices and to integrate the system by combining the components and asserting their interaction constraints in the form of receptive safety properties. Receptive safety properties specify the interaction between the functional components and can become inactive when a failure of a referenced component occurs. TI Reliability analysis of microcomputer circuit modules and computer based control systems important to safety of nuclear power plants. AU Khobare, S.K.; Shrikhande, S.V.; Chandra, U.; Govindarajan, G. (Remote Control Div., Bhabha Atomic Res. Centre, Mumbai, India) SO Reliability Engineering & System Safety (Feb. 1998) vol.59, no.2, p.253-8. 14 refs. Doc. No.: S0951-8320(97)00151-8 Published by: Elsevier Price: CCCC 0951-8320/98/$19.00 CODEN: RESSEP ISSN: 0951-8320 SICI: 0951-8320(199802)59:2L.253:RAMC;1-9 DT Journal TC Theoretical CY United Kingdom LA English AB Computer-based safety related control and instrumentation (C&I) systems are being employed in Indian nuclear power plants (NPPs). These systems are designed around a standardized family of microcomputer based circuit modules, which are qualified to the stringent requirements of the nuclear industry. Reliability analysis of standardized microcomputer circuit modules, used in safety-related C&I systems, were carried out using an analysis package based on the methodology and database of MIL-STD-217-F1. The estimated failure rate values of standardized microcomputer circuit modules will be useful, for reliability assessment of various other safety related C&I systems developed around these modules, for ongoing and future Indian NPPs. TI MEADEP and its applications in evaluating dependability for air traffic control systems. AU Dong Tang; Hecht, M. (SoHaR Inc., Beverly Hills, CA, USA); Handal, J.; Czekalski, L. SO Annual Reliability and Maintainability Symposium 1998 Proceedings. International Symposium on Product Quality and Integrity (Cat. No.98CH36161) New York, NY, USA: IEEE, 1998. p.195-201 of xvi+433 pp. 15 refs. Conference: Anaheim, CA, USA, 19-22 Jan 1998 Sponsor(s): IEEE Price: CCCC 0 7803 4362 X/98/$10.00 ISBN: 0-7803-4362-X DT Conference Article TC Application; Practical CY United States LA English AB MEADEP (measure dependability) is a user-friendly dependability evaluation tool for measurement-based analysis of computing systems including both hardware and software. Use of the tool on failure data from measurements can provide quantitative assessments of dependability for critical systems, while greatly reducing requirements for specialized skills in data processing, analysis, and modeling from the user. TI Practical approach for the evaluation of safety related programmable electronics. AU Hietikko, M. (VTT Manuf. Technol., Tampere, Finland); Tiusanen, R. SO SAFECOMP 95. 14th International Conference on Computer Safety, Reliability and Security Editor(s): Rabe, G. Berlin, Germany: Springer-Verlag, 1995. p.467-73 of xii+516 pp. 6 refs. Conference: Belgirate, Italy, 11-13 Oct 1995 Sponsor(s): Eur. Workshop on Ind. Comput. Syst. Tech. Committee 7; Eur. Commission-Joint Res. Centre-Inst. Styst. Eng. & Informatics; et al ISBN: 3-540-19962-4 DT Conference Article TC Theoretical CY Germany, Federal Republic of LA English AB The goal of our study was to find a practical way for the identification and analysis of safety critical hardware and software faults and for the assessment of the safety measures related to these faults. We describe the identification of faults in three safety related PE systems by using a combination of analysis methods. TI Mission management system for an autonomous underwater vehicle. AU Madsen, H.O. (Maridan ApS, Horsholm, Denmark) SO Proceedings. 4th IFAC Conference on Manoeuvring and Control of Marine Craft. MCMC '97 Editor(s): Vukic, Z.; Roberts, G.N. Zagreb, Croatia: KoREMA-Croatian Soc. Commun. Comput. Electron. Meas. & Control, 1997. p.31-5 of 179 pp. 9 refs. Conference: Brijuni, Croatia, 10-12 Sept 1997 ISBN: 953-6037-22-X DT Conference Article TC Practical; Experimental CY Croatia LA English AB The unmanned, autonomous underwater vehicle (AUV) MARTIN has been developed for offshore applications, such as cable and pipeline inspections, environmental surveys and seabed mapping. The vehicle is equipped with a distributed control system consisting of 20 microcontroller based local nodes for the hardware interface and up to four industrial PCs running OS9000 for high level control. The nodes are connected by a CAN bus. The CAN bus is furthermore connected to the operator's PC and control box on-board the mother ship through a radio link or an acoustic modem. The long range and high precision survey demands require an extensive diagnosis system and a fault tolerant control system. The distributed, multiprocessor control system is designed modular and reconfigurable. The overall control is managed by a mission management system, consisting of a diagnosis system, mission executor, vehicle support system and mission control. TI Behavior of a computer based interlocking system under transient hardware faults. AU Romano, L.; Kalbarczyk, Z.; Iyer, R.K. (Center for Reliable & High Performance Comput., Illinois Univ., Urbana, IL, USA); Mazzeo, A.; Mazzocca, N. SO Proceedings. Pacific Rim International Symposium on Fault-Tolerant Systems (Cat. No.97TB100202) Los Alamitos, CA, USA: IEEE Comput. Soc, 1997. p.174-9 of xii+243 pp. 6 refs. Conference: Taipei, Taiwan, 15-16 Dec 1997 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Fault-Tolerant Comput.; Nat. Taiwan Univ.; Nat. Sci. Council, Taiwan; Ministr. Educ., Taiwan; Inst. Inf. & Comput. Machinery, Taiwan Price: CCCC 0 8186 8212 4/97/$10.00 ISBN: 0-8186-8212-4 DT Conference Article TC Theoretical CY United States LA English AB The paper addresses the safety analysis and evaluation of a hard real-time, interlocking, railway control system. The major objective is to demonstrate an efficient methodology capable of capturing crucial system dependability characteristics while allowing meaningful results to be obtained within a reasonable time. The evaluation is done by simulating the execution of the control software under transient hardware faults. TI Engineering oriented dependability evaluation: MEADEP and its applications. AU Tang, D.; Hecht, M.; Agron, J.; Miller, A.; Hecht, H. (SoHaR Inc., Beverly Hills, CA, USA) SO Proceedings. Pacific Rim International Symposium on Fault-Tolerant Systems (Cat. No.97TB100202) Los Alamitos, CA, USA: IEEE Comput. Soc, 1997. p.85-90 of xii+243 pp. 16 refs. Conference: Taipei, Taiwan, 15-16 Dec 1997 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Fault-Tolerant Comput.; Nat. Taiwan Univ.; Nat. Sci. Council, Taiwan; Ministr. Educ., Taiwan; Inst. Inf. & Comput. Machinery, Taiwan Price: CCCC 0 8186 8212 4/97/$10.00 ISBN: 0-8186-8212-4 DT Conference Article TC Application; Practical CY United States LA English AB Use of the MEADEP tool on failure data from measurements can provide objective evaluations of dependability for critical systems, while greatly reducing requirements for specialized skills in data processing, analysis, and modeling from the user. MEADEP has been applied to evaluate availability for two air traffic control systems based on operational failure data and results produced by MEADEP have provided valuable feedback to the project management of these critical systems. MEADEP has also been used to analyze a nuclear power plant safety model, based on the Eagle 21 architecture and its early field failure data, and results of sensitivity analysis on the model are discussed. TI An embedded fail-safe interlocking system. AU Bin Pei (Signal Dept., China Railway Signal & Commun. Co., Beijing, China); Yinghua Ming SO Proceedings. Pacific Rim International Symposium on Fault-Tolerant Systems (Cat. No.97TB100202) Los Alamitos, CA, USA: IEEE Comput. Soc, 1997. p.22-7 of xii+243 pp. 7 refs. Conference: Taipei, Taiwan, 15-16 Dec 1997 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Fault-Tolerant Comput.; Nat. Taiwan Univ.; Nat. Sci. Council, Taiwan; Ministr. Educ., Taiwan; Inst. Inf. & Comput. Machinery, Taiwan Price: CCCC 0 8186 8212 4/97/$10.00 ISBN: 0-8186-8212-4 DT Conference Article TC Practical CY United States LA English AB The paper presents a fail-safe railway interlocking system embedded in an Area Control Center (ACC) system. The host of the system is a TANDEM NONSTOP HIMALAYA K200 computer. The fault tolerant computer aims at high safety, reliability and availability. In addition, the dispatcher management system, device supervision system, and train control system are integrated in the host computer to ensure high performance. Tens of stations can be controlled by the system concurrently. The paper also presents some measures in the software used to ensure safety of the interlocking system. These measures have been verified by practical applications in old versions of the interlocking system. TI A framework for modelling dependable real-time distributed systems. AU Yeong-Jia Chen; Mosse, D.; Shi-Kuo Chang (Dept. of Comput. Sci., Pittsburgh Univ., PA, USA) SO International Journal of Systems Science (Nov. 1997) vol.28, no.11, p.1025-43. 20 refs. Published by: Taylor & Francis Price: CCCC 0020-7721/97/$12.00 CODEN: IJSYA9 ISSN: 0020-7721 SICI: 0020-7721(199711)28:11L.1025:FMDR;1-O DT Journal TC Practical; Theoretical CY United Kingdom LA English AB A systematic way to introduce fault-tolerant and time-dependent properties into a complex software system is presented. The approach is based on an extended Petri net model, called the G-Net, enhanced with a deterministic timing scheme. In the timed G-Net (TGN) model, exception handling and timing mechanisms are used to introduce fault-tolerant and real-time properties. The basic idea is to use basic building blocks with timing properties to allow objects to treat a timing error by raising an exception and triggering some corrective actions. We use examples to show that a simplified real-time distributed air traffic control system can be modelled effectively using the SMO model. ny 1, Methode, Eval/Bau, Verteilte Sys, TI Dependability evaluation of fault tolerant architectures in distributed industrial control systems. AU Campelo, J.C.; Rodriguez, F.; Serrano, J.J.; Gil, P.J. (Valencia Univ., Spain) SO Proceedings. 1997 IEEE International Workshop on Factory Communication Systems. WFCS'97 (Cat. No.97TH8313) Editor(s): Fuertes, J.M.; Juanole, G. New York, NY, USA: IEEE, 1997. p.193-200 of xiv+390 pp. 14 refs. Conference: Barcelona, Spain, 1-3 Oct 1997 Sponsor(s): IEEE Ind. Electron. Soc.; Univ. Polytech. Catalunya Price: CCCC 0 7803 4182 1/97/$10.00 ISBN: 0-7803-4182-1 DT Conference Article TC Practical CY United States LA English AB We study different fault tolerant architectures for the nodes of these systems and present three different alternatives in order to develop fault tolerant nodes. Moreover, in order to evaluate their dependability we present theoretical models of each one, based on Markov chains, and the results obtained (reliability and safety). TI A fault-tolerant communication architecture for real-time control systems. AU Hilmer, H.; Kochs, H.-D. (Dept. of Comput. Sci., Duisburg Univ., Germany); Dittmar, E. SO Proceedings. 1997 IEEE International Workshop on Factory Communication Systems. WFCS'97 (Cat. No.97TH8313) Editor(s): Fuertes, J.M.; Juanole, G. New York, NY, USA: IEEE, 1997. p.111-18 of xiv+390 pp. 7 refs. Conference: Barcelona, Spain, 1-3 Oct 1997 Sponsor(s): IEEE Ind. Electron. Soc.; Univ. Polytech. Catalunya Price: CCCC 0 7803 4182 1/97/$10.00 ISBN: 0-7803-4182-1 DT Conference Article TC Practical CY United States LA English AB Modern distributed computer control systems have to provide both highly reliable and hard real-time communication. To meet these requirements, a communication protocol adapted to the characteristics of data to be transferred has to be chosen. Concerning high reliability, additional measures have to be taken, since current protocols of the field-bus domain do not provide sufficient fault tolerance capabilities, especially with regard to fault detection and redundancy management. The article introduces a system architecture and fault-tolerant protocol mechanisms based on the communication protocol CAN. The system is suitable for large-scale control systems, which have to cope with both periodically and spontaneously occurring data. TI Specification and verification of real-time systems using ACSR-VP. AU Sung-Mook Lim; Jin-Young Choi (Dept. of Comput. Sci. & Eng., Korea Univ., Seoul, South Korea) SO Proceedings. Fourth International Workshop on Real-Time Computing Systems and Applications (Cat. No.97TB100160) Los Alamitos, CA, USA: IEEE Comput. Soc, 1997. p.135-42 of xi+285 pp. 14 refs. Conference: Taipei, Taiwan, 27-29 Oct 1997 Sponsor(s): Inst. Inf. Sci., Acad. Sinica, ROC; Chung-Shan Inst.; Inst. Inf. Ind.; Ind. Technol. Res. Inst.; Inst. Inf. & Comput. Machinery; Minst. Educ.; Nat. Chung-Chen Univ.; Nat. Sci. Council; Telecommun. Lab.; IEEE Comput. Soc. Tech. Committee on Real-Time Comput Price: CCCC 0 8186 8073 3/97/$10.00 ISBN: 0-8186-8073-3 DT Conference Article TC Practical CY United States LA English AB When one designs a real-time system, methods to guarantee the correctness of the system are needed before the implementation of the system. We specify a scheduling algorithm of real-time systems called priority ceiling protocol using ACSR-VP and perform schedulability analysis on real-time systems by checking for a bisimulation relation. TI Design of dependable control systems using a component based approach. AU Blanke, M. (Dept. of Control Eng., Aalborg Univ., Denmark) SO On-Line Fault Detection and Supervision in the Chemical Process Industries 1995. A Postprint Volume from the IFAC Workshop Editor(s): Morris, A.J.; Martin, E.B. Oxford, UK: Pergamon, 1996. p.167-74 of vii+237 pp. 22 refs. Conference: Newcastle upon Tyne, UK, 12-13 June 1995 Sponsor(s): IFAC ISBN: 0-08-042607-7 DT Conference Article TC Practical; Theoretical CY United Kingdom LA English AB Design of fault handling in control systems is discussed and a consistent method for design is presented. It is based on analysis of component fault modes and their effects. Automated analysis provides decision tables for fault handling. Mathematical models for fault detection and isolation are obtained from bond-graph models of components and subsystems. The outcome is a methodology for engineering design which presents the propagation of component faults and shows where fault handling should be applied to stop migration of a fault. The result is a way to obtain significantly improved dependability with simple means. TI Distributed control of a multiple tethered mobile robot system for highway maintenance and construction. AU Xin Feng; Velinsky, S.A. (Adv. Highway Maintenance & Construction Technol., California Univ., Davis, CA, USA) SO Microcomputers in Civil Engineering (Nov. 1997) vol.12, no.6, p.383-92. 8 refs. Published by: Blackwell Publishers Price: CCCC 0885-9507/97/$6.00+.15 CODEN: MCENE7 ISSN: 0885-9507 SICI: 0885-9507(199711)12:6L.383:DCMT;1-S DT Journal TC Practical CY United States LA English AB The development of a distributed control system for a multiple mobile robot system is described. The mobile robots considered have been termed tethered mobile robots (TMRs). The TMRs are differentially steered, wheeled mobile robots tethered to a support vehicle, and they have been designed for automating highway maintenance and construction. The control system consists of a network of a host computer and several real-time dynamic controllers. The system's fault-tolerance is achieved from a distributed architecture and overall condition monitoring. TI System stress tests ensure the availability of electronic interlockings [rail traffic control]. AU Birtel, P. SO Signal und Draht (June 1997) vol.89, no.6, p.12-16. 2 refs. Published by: Tetzlaff Verlag CODEN: SIGDAN ISSN: 0037-4997 SICI: 0037-4997(199706)89:6L.12:SSTE;1-1 DT Journal TC Application; Practical CY Germany, Federal Republic of LA German AB Interlocking schemes must not only be safe but also offer high availability. The growing size of electronic interlocking schemes with configurations of up to 120 computers makes special demands on the system software. This paper describes how installation-specific stress tests are carried out at a systems test centre in order to test the dynamic processes in large computer configurations. TI Intelligent control systems for fault -tolerant manipulators. AU Tosunoglu, S. (Dept. of Mech. Eng., Florida Int. Univ., Miami, FL, USA) SO Recent Advances in Mechatronics. Proceedings of International Conference on Recent Advances in Mechatronics, ICRAM '95 Editor(s): Kaynak, O.; Ozkan, M.; Bekiroglu, N.; Tunay, I. Istanbul, Turkey: Bogazici Univ, 1995. p.356-62 vol.1 of 2 vol. xvii+1177 pp. 14 refs. Availability: Bogazici University, Electrical and Electronics Engineering, Bebek 80815, Istanbul, Turkey Conference: Istanbul, Turkey, 14-16 Aug 1995 ISBN: 975-518-063-X DT Conference Article TC Theoretical CY Turkey LA English AB This work presents the general architecture of an intelligent controller system developed for fault-tolerant manipulators. When a failure is detected in a robotic system, the intelligent controller makes decisions for the reallocation of resources, and announces the new task assignments to recover the system from failure as gracefully as possible. A different controller design is usually required for the recovery process. An intelligent controller adjusts the system model, selects the most appropriate control method, and completes the design for post-failure portion of the operation. TI Recent trends in train traffic control systems. AU Kawaguchi, K. (Omika Works, Hitachi Ltd., Japan); Komaki, T.; Yamada, T.; Fukushima, T. SO Hitachi Review (April 1997) vol.46, no.2, p.85-8. 5 refs. Published by: Hitachi CODEN: HITAAQ ISSN: 0018-277X SICI: 0018-277X(199704)46:2L.85:RTTT;1-A DT Journal TC Application; New Development; Practical CY Japan LA English AB Train traffic control systems, which track the train positions on the lines and automatically control traffic signals according to a train schedule, contribute to both the on-time running of trains and a reduction in the load on dispatchers. Recently the range of automation in such systems has increased and automatic control of shunting trains within train yards is now also done, in addition to control of trains running on the main lines. These functions support quick recovery from schedule delays. Fault tolerant control computers are the nucleus of the computer system, realizing high reliability and ease of maintenance with the system continuing to run even during hardware breakdowns. An autonomous decentralized network realizes high reliability through a double transmission route and system flexibility is improved. TI Experimental evaluation of computer-based railway control systems. AU Amendola, A.M.; Impagliazzo, L.; Marmo, P.; Poli, F. (Ansald-Cris, Napoli, Italy) SO Digest of Papers. Twenty-Seventh Annual International Symposium on Fault-Tolerant Computing (Cat. No.97CB36054) Los Alamitos, CA, USA: IEEE Comput. Soc, 1997. p.380-4 of xvii+396 pp. 12 refs. Conference: Seattle, WA, USA, 24-27 June 1997 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Fault-Tolerant Comput.; IFIP WG 10.4 on Dependable Comput. & Fault Tolerance; Boeing Company; Microsoft Corp.; Tandem; Allied Signal; Univ. Washington; Purdue Univ.; Univ. Essesn Price: CCCC 0731-3071/97/$10.00 ISBN: 0-8186-7831-3 DT Conference Article TC Practical; Experimental CY United States LA English AB The methodological framework for LIVE is summarized. LIVE integrates fault injection and software testing techniques to achieve an accurate and nonintrusive analysis of a system prototype. Such evaluation is needed to ensure full compliance with the new dependability standards emerging for railway apparatus. The test results of a trial application are presented. These results highlight the importance of the quality of the test set and its influence on the final evaluation of system dependability. TI Fault tolerance in a distributed control system for combined cycle power plants. AU Ramirez Valenzuela, C.E.; Delgadillo Valencia, M.A. (Departamento de Instrum. y Control, Temixco, Mexico) SO Control of Power Plants and Power Systems (SIPOWER'95). A Proceedings volume from the IFAC Symposium Editor(s): Canales-Ruiz, R. Oxford, UK: Pergamon, 1996. p.231-5 of xi+542 pp. 8 refs. Conference: Cancun, Mexico, 6-8 Dec 1995 Sponsor(s): IFAC ISBN: 0-08-042362-0 DT Conference Article TC Practical CY United Kingdom LA English AB This paper presents how a fault tolerant scheme (FTS) for the controllers of a power plant distributed control system is selected. A dual-redundant configuration was chosen based on a dependability analysis. The defined FTS is described in terms of the four phases of fault-tolerance. A combination of stand-by and a synchronous scheme is considered. The FTS resulted in a cost-effective solution in order to increase the control system reliability because two main reasons: the hardware configuration do not require special elements, and the FTS takes advantage of the manual tracking algorithm to make the FTS software simple. TI The fault-tolerant measurement and control system based on the multi-microcomputers. AU Hui Zhang (Hefei Univ. of Technol., China) SO Proceedings of the IEEE International Conference on Industrial Technology (ICIT'96) (Cat. No.96TH8151) New York, NY, USA: IEEE, 1996. p.439-41 of xvi+884 pp. 4 refs. Conference: Shanghai, China, 2-6 Dec 1996 Sponsor(s): IEEE Ind. Electron. Soc.; Soc. Instrum. & Control Eng. (Japan); Tongji Univ.; IEEE Robotics & Autom. Soc.; IEEE Beijing Sect.; IEEE power Electron. Soc.; Shanghai Jiaotong Univ.; Nat. Natural Sci. Found. China; State Educ. Commission of China ISBN: 0-7803-3104-4 DT Conference Article TC Practical CY United States LA English AB In this paper, the hardware structure design used in normal industry measurement and control system of multimicrocomputer is discussed, and multimicrocomputer system's error processing, voted algorithm, system reconfiguration methods are presented. These methods will make the reliability of measurement and control systems more high. Finally an example is shown in this paper to illustrate the way in the system design. TI Fault-tolerant control-a case study of the Orsted satellite. AU Bogh, S.A.; Blanke, M. (Dept. of Control Eng., Aalborg Univ., Denmark) SO IEE Colloquium on Fault Diagnosis in Process Systems (Digest No.1997/174) London, UK: IEE, 1997. p.11/1-13 of 74 pp. 35 refs. Conference: London, UK, 21 April 1997 Sponsor(s): IEE DT Conference Article TC Practical CY United Kingdom LA English AB This paper presents the design strategy used to develop a supervisor for the attitude control system of the Danish Orsted satellite. The main topic is handling of faults arising in on-board instrumentation, i.e. how to detect faults and how to prevent propagation into failures with potential mission loss as a consequence. Formal methods are used to ensure complete coverage of all potential fault types and to guarantee that the design criteria are met in the final implementation. TI Rapid prototyping of a sensor fault tolerant traction control system. AU Bennett, S.M.; Patton, R.J. (Dept. of Electron. Eng., Hull Univ., UK); Daley, S. SO IEE Colloquium on Fault Diagnosis in Process Systems (Digest No.1997/174) London, UK: IEE, 1997. p.2/1-6 of 74 pp. 23 refs. Conference: London, UK, 21 April 1997 Sponsor(s): IEE DT Conference Article TC Practical CY United Kingdom LA English AB The problem of sensor faults on an AC-drive system for an electric train is considered. Intermittent disconnections of these sensors produces severe transient errors in the estimator in the control loop if not heavily filtered to suppress these errors which will degrade performance. This paper shows that model based techniques can be applied for achieving reliable tolerance of intermittent disconnections without degrading performance. This paper goes beyond simulation to show how such a system can be verified in hardware. TI System wide joint position sensor fault tolerance in robot systems using Cartesian accelerometers. AU Aldridge, H.A.; Juang, J.-N. (NASA Langley Res. Center, Hampton, VA, USA) SO Proceedings of the SPIE - The International Society for Optical Engineering (1996) vol.2905, p.92-100. 17 refs. Published by: SPIE-Int. Soc. Opt. Eng CODEN: PSISDG ISSN: 0277-786X SICI: 0277-786X(1996)2905L.92:SWJP;1-8 Conference: Sensor Fusion and Distributed Robotic Agents. Boston, MA, USA, 21-22 Nov 1996 Sponsor(s): SPIE DT Conference Article; Journal TC Practical; Experimental CY United States LA English AB This paper presents a method to obtain position information from Cartesian accelerometers without integration. Depending on the number and location of the accclerometers, the proposed system can tolerate the loss of multiple position sensors. A solution technique suitable for real-time implementation is presented. Simulations were conducted using five triaxial accelerometers to recover from the loss of up to four joint position sensors on a 7-degree-of-freedom robot moving in general 3D space. TI Building distributed scalable dependable real-time systems. AU Ravindran, B.; Welch, L.R. (Dept. of Comput. Sci. Eng., Texas Univ., Arlington, TX, USA); Kelling, C. SO Proceedings. International Conference and Workshop on Engineering of Computer-Based Systems (Cat. No.97TB100105) Editor(s): Rozenblit, J.; Ewing, T.; Schulz, S. Los Alamitos, CA, USA: IEEE Computer. Soc. Press, 1997. p.452-9 of xv+508 pp. 8 refs. Conference: Monterey, CA, USA, 24-28 March 1997 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Eng. Comput.-Based Syst.; Univ. Arizona Price: CCCC 0 8186 7889 5/97/$10.00 ISBN: 0-8186-7889-5 DT Conference Article TC Practical CY United States LA English AB This paper describes an on-going effort in constructing a platform for developing distributed, embedded, real-time control systems which have high dependability and scalability requirements. Complex, embedded real-time control systems typically have a very large grain task model upon which hard and soft timing constraints are simultaneously imposed. Often, such systems are required to function in extremely hostile and unpredictable environments. This demands large dependability and availability in a continuous manner We describe a new paradigm to build such systems which is based on the notion of paths-the granularity at which the notion of time is expressed in software. TI Dynamic fault tree analysis for digital fly-by-wire flight control system. AU Yao Yiping; Yang Xiaojun; Li Peiqiong (Dept. of Autom. Control, Beijing Univ. of Aeronaut. & Astronaut., China) SO 15th DASC. AIAA/IEEE Digital Avionics Systems Conference (Cat. No.96CH35959) New York, NY, USA: IEEE, 1996. p.479-84 of 504 pp. 5 refs. Conference: Atlanta, GA, USA, 27-31 Oct 1996 Price: CCCC 0 7803 3385 3/96/$5.00 ISBN: 0-7803-3385-3 DT Conference Article TC Practical; Theoretical CY United States LA English AB Digital Fly-By-Wire (FBW) Flight Control System (FCS) is designed to achieve high level of reliability, frequently employ high level of redundancy. Dynamic redundancy employed in FEW system can realize complex fault and error diagnosis, recovery and reconfiguration. It is very difficult to analyze the reliability of the FEW system by traditional methods, such as Fault Tree Analysis (FTA) or Network Analysis. This paper describes dynamic fault-tree modeling techniques for handling these difficulties and provides a Markov Chain generation modeling method for coverting Dynamic Fault Tree to Markov Chain. The software failure of the FBW system can also be considered in the model. An example of a quadruple FEW redundant system and a Markov State Transition Chain software package (MSTCP) are given. TI An integrated fault-tolerant control and diagnostics system for nuclear power plants. AU Eryurek, E. (Fisher-Rosemount, Eden Prairie, MN, USA); Upadhyaya, B.R. SO Proceedings of the Topical Meeting on Computer-Based Human Support Systems: Technology, Methods, and Future La Grange, IL, USA: ANS, 1995. p.267-74 of viii+529 pp. 5 refs. Conference: Philadelphia, PA, USA, 25-29 June 1995 Sponsor(s): ANS ISBN: 0-89448-197-5 DT Conference Article TC Practical CY United States LA English AB The paper describes the design and implementation of a control system that integrates various modules into one large computer-aided system. The digital technology enables one to implement this new feature in the software domain. The use of computational intelligence such as fuzzy logic, neural networks and adaptive control algorithms, have broadened the relevance of developing robust and reliable control systems for nuclear power plants. The integration of these control algorithms with validation and monitoring modules will further enhance the availability and safety of systems in the presence of degrading measurements, controller anomalies, and unanticipated transients. TI An error model for computer control systems. AU Bass, J.M.; Fleming, P.J. (Sheffield Univ., UK); Tyrrell, A.M. SO UKACC International Conference on Control '96 (Conf. Publ. No.427) London, UK: IEE, 1996. p.353-8 vol.1 of 2 vol. xxxxiii+1489 pp. 11 refs. Conference: Exeter, UK, 2-5 Sept 1996 ISBN: 0-85296-666-0 DT Conference Article TC Application; Practical CY United Kingdom LA English AB This paper presents an error model that is intended to allow the dependability of computer control systems, with fault tolerant mechanisms included, to be evaluated. The model allows error 'surfaces' to be defined for a given application, and used to define an error region that will give a measure of error coverage. The paper applies the model to an illustrative example to show how it might be used in an autopilot. TI Adaptable fault tolerance for distributed process control using exclusively standard components. AU Bohne, J.; Gronberg, R. (Res. & Technol., Daimler-Benz AG, Berlin, Germany) SO Dependable Computing - EDCC-2. Second European Dependable Computing Conference Proceedings Editor(s): Hlawiczka, A.; Silva, J.G.; Simoncini, L. Berlin, Germany: Springer-Verlag, 1996. p.21-34 of xvi+440 pp. 14 refs. Conference: Taormina, Italy, 2-4 Oct 1996 ISBN: 3-540-61772-8 DT Conference Article TC Practical CY Germany, Federal Republic of LA English AB Describes an adaptable fault tolerance architecture for distributed process control which uses exclusively standard hardware, standard system software and standard protocols. It offers a quick and low-cost solution to provide non-safety-critical technical facilities and plants with continuous service; thereby, a maximum of practicability for the application engineers is achieved. The architecture is composed from well-known fault tolerance methods under the constraints of real-time requirements. Because of the transparency of the fault tolerance, each functional part of the process control, which is represented by an application task, can be implemented without regard to non-determinism and executing hosts. It can be expected by a fault-tolerant system that reconfiguration following a fault is done automatically. The present system does more: it reintegrates repaired hosts automatically and re-establishes the redundant operation while the entire system is working. TI Disk array subsystem with non-stop operation. AU Nozawa, M.; Takamatsu, H.; Shimada, A. SO Hitachi Review (Oct. 1996) vol.45, no.5, p.261-6. 2 refs. Published by: Hitachi CODEN: HITAAQ ISSN: 0018-277X SICI: 0018-277X(199610)45:5L.261:DASW;1-9 DT Journal TC Practical; Product Review CY Japan LA English AB To meet continuous operation needs, we have developed a disk array subsystem, the H-6591/H-6595, as the primary storage subsystem of the Hitachi M Parallel Series. As the disk subsystem for our large-scale computers, the H-6591/H-6595 employs the redundant array of independent disks (RAID) 5 technology for the first time. It can support 24-hour/365-day non-stop operation by its control system redundancy (including duplex) and non-disruptive maintenance capabilities. TI Correct and robust decision systems for high complexity critical control systems. AU Browne, J.C.; Emerson, E.A.; Gouda, M.; Miranker, D.; Mok, A.; Chodrow, S.; Wang, R.-H.; Tsou, D.; Obermeyer, L. (Dept. of Comput. Sci., Texas Univ., Austin, TX, USA) SO Proceedings of the Third International Workshop on Responsive Computer Systems Austin, TX, USA: Univ. Texas at Austin, 1993. p.65-74 of v+239 pp. 33 refs. Conference: Lincoln, NH, USA, 29 Sept-1 Oct 1993 Sponsor(s): U.S. Office of Naval Res.; IEEE Comput. Soc DT Conference Article TC Application; Practical CY United States LA English AB This paper provides an overview of a methodology for the development of correct and robust decision systems for high-complexity critical control systems and an application of this methodology. This methodology incorporates state-based programming analyses, fault tolerance for both transient and resource loss errors and has the potential for parallel implementation. The technical foundation for the new paradigm for design and implementation of correct and robust decision systems for high complexity critical control systems is presented. An experimental application is presented. It is apparent from the preliminary experimental applications of the methodology that further development of the fundamental principles are necessary. TI The application of fault tolerance controls to Unmanned Air Vehicles. AU Vos, D.W.; Motazed, B. (Aurora Flight Sci. Corp., Manassas, VA, USA) SO Proceedings of the SPIE - The International Society for Optical Engineering (1996) vol.2738, p.69-75. 7 refs. Published by: SPIE-Int. Soc. Opt. Eng Price: CCCC 0 8194 2119 7/96/$6.00 CODEN: PSISDG ISSN: 0277-786X SICI: 0277-786X(1996)2738L.69:AFTC;1-1 Conference: Navigation and Control Technologies for Unmanned Systems. Orlando, FL, USA, 8-9 April 1996 Sponsor(s): SPIE DT Conference Article; Journal TC Practical CY United States LA English AB Autonomous unmanned systems require provisions for fault detection and recovery. Multiply-redundant schemes typically used in aerospace applications are prohibitively expensive and inappropriate solution for unmanned systems where low cost and small size are critical. Aurora Flight Sciences is developing alternative low-cost, fault-tolerant control (FTC) capabilities, incorporating failure detection and isolation, and control reconfiguring algorithms into aircraft flight control systems. A "monitoring observer", or failure detection filter, predicts the future aircraft state based on prior control inputs and measurements, and interprets discrepancies between the output of the two systems. The FTC detects and isolates the onset of a sensor or actuator failure in real-time, and automatically reconfigures the control laws to maintain full control authority. This methodology is unique in providing a compact and elegant FTC solution to dynamic systems with nonlinear parameter dependence, such as high-altitude UAVs (Unmanned Air Vehicles) and UUVs (Unmanned Undersea Vehicles), where the dynamic behaviour varies strongly with speed (i.e., dynamic pressure) and density. TI A practical method for creating plant diagnostics applications. AU Karsal, C.; Padalkar, S.; Franke, H.; Sztipanovits, J. (Dept. of Electr. & Comput. Eng., Vanderbilt Univ., Nashville, TN, USA); Decaria, F. SO Integrated Computer-Aided Engineering (1996) vol.3, no.4, p.291-304. 23 refs. Published by: Wiley Price: CCCC 1069-2509/96/040291-14 CODEN: ICAEEI ISSN: 1069-2509 SICI: 1069-2509(1996)3:4L.291:PMCP;1-M DT Journal TC Practical CY United States LA English AB The approach presented is available as part of IPCS (Intelligent Process Control System), which is a model based environment for generating monitoring, control, simulation, and diagnostics applications for large scale, continuous process plants. IPCS has been used to generate practical real time diagnostic and recovery applications in chemical and cogenerator plants. TI Safety computations in integrated circuits. AU Dufour, J.-L. (RAMS Dept., Matra Transp. Int., Montrouge, France) SO Proceedings. 14th IEEE VLSI Test Symposium (Cat. No.96TB100043) Los Alamitos, CA, USA: IEEE Comput. Soc. Press, 1996. p.169-72 of xxix+510 pp. 4 refs. Conference: Princeton, NJ, USA, 28 April-1 May 1996 Sponsor(s): IEEE Comput. Soc. Tech Committee on Test Technol.; IEEE Philadelphia Sect Price: CCCC 0 8186 7304 4/96/$05.00 ISBN: 0-8186-7304-4 DT Conference Article TC Application; Practical; Theoretical CY United States LA English AB In order to ensure the safety of software-based railway control systems, MATRA TRANSPORT has developed at the beginning of the eighties an "informational redundancy" technique associating arithmetic coding and signature checking, with the adequate environment interfaces (generally fail-safe devices). Compared to traditional redundancy, the "coded processor" has the advantage of a rigorous mathematical safety demonstration, independent of the reliability of the underlying hardware, but there is an important cost to pay in terms of execution speed. A new generation has been designed, replacing the software code calculations and the discrete numeric components used in coded input acquisition/coded output command by ASICs. Our experience shows that it is possible to perform safe computations in an ASIC, and even that in some cases ASICs are more adaptable to the safety constraints than software computations. TI System dependability evaluation via a fault list generation algorithm. AU Smith, D.T.; Johnson, B.W. (Dept. of Electr. Eng., Virginia Univ., Charlottesville, VA, USA); Profeta, J.A., III SO IEEE Transactions on Computers (Aug. 1996) vol.45, no.8, p.974-9. 19 refs. Published by: IEEE Price: CCCC 0018-9340/96/$05.00 CODEN: ITCOB4 ISSN: 0018-9340 SICI: 0018-9340(199608)45:8L.974:SDEF;1-P DT Journal TC Practical CY United States LA English AB The size and complexity of modern dependable computing systems has significantly compromised the ability to accurately measure system dependability attributes such as fault coverage and fault latency. Fault injection is one approach for the evaluation of dependability metrics. Unfortunately, fault injection techniques are difficult to apply because the size of the fault set is essentially infinite. The primary objective of this research effort was the development and implementation of algorithms which generate a fault set which fully exercises the fault detection and fault processing aspects of the system. The end result is a deterministic, automated method for accurately evaluating complex dependable computing systems using fault injection. TI Railway real-time control systems-modeling of dynamic redundant systems reliability. AU Christov, C.; Stoytcheva, N. (Higher Mil. Sch. of Transp., Sofia, Bulgaria) SO Second International Scientific Conference. Modern Supply Systems and Drives for Electric Traction. Conference Proceedings Warsaw, Poland: Warsaw Univ. Technol, 1995. p.42-7 of xiv+304 pp. 9 refs. Availability: Warsaw University of Technology, El. Traction Group, 00-661 Warsaw, Plac Politechniki 1, Poland Conference: Warsaw, Poland, 5-7 Oct 1995 Sponsor(s): Ministr. Educ. Naradowej; Komitet Badan Naukowych; IEE; et al DT Conference Article TC Theoretical CY Poland LA English AB This article considers some practical interesting cases when the reserve railway control subsystem can be held in cold and hot redundancy of the primary subsystem. The problem is to research and model the system availability if the reliability parameters of the system units are known. TI Communication architectures for distributed computer control systems. AU Dieterle, W.; Kochs, H.-D. (Dept. of Comput. Sci., Duisburg Univ., Germany); Dittmar, E. SO Distributed Computer Control Systems 1994. (DCCS'94). IFAC Workshop (Postprint Volume) Editor(s): de la Puente, J.A.; Rodd, M.G. Oxford, UK: Pergamon, 1995. p.7-12 of vii+183 pp. 11 refs. Conference: Toledo, Spain, 28-30 Sept 1994 Sponsor(s): IFAC ISBN: 0-08-042237-3 DT Conference Article TC Practical CY United Kingdom LA English AB The use of distributed computer control systems (DCCS) demands high reliability, sufficient real-time behaviour and increasingly economical systems. The last demand requires the use of cheap standard components, whenever possible. The article discusses the realization of DCCS with respect to these constraints. Problems due to conventional use of standardized communication protocols in distributed control systems in general and highly-reliable systems in particular are shown. Multicast communication concepts are presented as solutions, using standardized protocols in a problem specific way. TI Self-checking and fail-safe LSIs by intra-chip redundancy. AU Kanekawa, N. (Res. Lab., Hitachi Ltd., Japan); Nohmi, M.; Satoh, Y.; Satoh, H. SO Proceedings of the Twenty-Sixth International Symposium on Fault-Tolerant Computing. Digest of Papers (Cat. No.96CB35969) Los Alamitos, CA, USA: IEEE Comput. Soc. Press, 1996. p.426-30 of xxvi+442 pp. 8 refs. Conference: Sendai, Japan, 25-27 June 1996 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Fault-Tolerant Comput.; IEICE Tech. Group on Fault-Tolerant Syst.; IFIP WG 10.4 on Dependable Comput. & Fault Tolerance; IEEE, Tokyo Sect.; Inf. Process. Soc. Japan; IEE Japan; Soc. Instrum. & Control Eng. Japan; Reliability Eng. Assoc. Japan Price: CCCC 0731-3071/96/$5.00 ISBN: 0-8186-7261-7 DT Conference Article TC Practical CY United States LA English AB Self checking comparators within the self checking LSI chips monitor the operation of redundant functional blocks to ensure the functionality of the LSIs. Spatial diversity and time diversity minimize correlated faults among redundant functional blocks, which may reduce fault detection coverage because of coincident faults. This approach allows advantage to be taken of the merits of today's most advanced LSI technologies. TI Architecture of the Texas A&M Autonomous Underwater Vehicle Controller. AU Barnett, D.; McClaran, S.; Nelson, E.; McDermott, M.; Williams, G. (Dept. of Comput. Sci., Texas A&M Univ., College Station, TX, USA) SO Proceedings of the 1996 Symposium on Autonomous Underwater Vehicle Technology (Cat. No.96CH35900) New York, NY, USA: IEEE, 1996. p.231-7 of 492 pp. 5 refs. Conference: Monterey, CA, USA, 2-6 June 1996 Sponsor(s): Oceanic Eng. Soc. IEEE Price: CCCC 0 7803 3185 0/96/$5.00 ISBN: 0-7803-3185-0 DT Conference Article TC Practical; Experimental CY United States LA English AB Presents the software and hardware architectures of the autonomous underwater vehicle controller (AUVC) developed at Texas A&M University. It is a controller for a long range, highly reliable UUV. Capabilities include mission planning/replanning, path planning, energy management, collision avoidance, threat detection and evasion, failure diagnosis and recovery, radio communication, navigation, and recovery from its internal faults. In its first version, functions were partitioned among eighteen loosely coupled processes. Rule-based systems performed mission management and fault diagnosis, while algorithmic control systems were used for lower-level control. The original AUVC software was designed for a network of sixteen processors in planar-2 configuration, with redundant communication paths. A software component provided reliable distributed computing. TI Fault tolerance in distributed safety systems. AU Gruber, T.; Kuhn, W.; Thuswald, M.; Staffel, G. (Bereich Ind. Messtech. & Inf., Osterreichisches Forschungszentrum Seibersdorf, Austria) SO Elektrotechnik und Informationstechnik (1996) vol.113, no.5, p.348-51. 8 refs. Published by: Springer-Verlag CODEN: EIEIEE ISSN: 0932-383X SICI: 0932-383X(1996)113:5L.348:FTDS;1-E DT Journal TC Application; Practical CY Austria LA German AB The practical implementation of fault tolerant systems is described, on the basis of two examples of industry cooperation in the areas of railway safety engineering and security control systems technology. TI Autonomous attitude determination and control system for the OErsted satellite. AU Bak, T.; Wisniewski, R.; Blanke, M. (Dept. of Control Eng., Aalborg Univ., Denmark) SO 1996 IEEE Aerospace Applications Conference. Proceedings (Cat. No.96CH35904) New York, NY, USA: IEEE, 1996. p.173-86 vol.2 of 4 vol. (xx+428+440+424+512) pp. 15 refs. Conference: Aspen, CO, USA, 3-10 Feb 1996 Sponsor(s): IEEE Aerosp. & Electron. Syst. Soc Price: CCCC 0 7803 3196 6/96/$5.00 ISBN: 0-7803-3196-6 DT Conference Article TC Application; Practical CY United States LA English AB The entire control and attitude determination system of the OErsted Satellite has the ability to reconfigure in real time, based on mission phase and contingency operation requirements. Attitude determination embraces three different strategies, dependent on the availability of attitude sensors. Possible sensor faults are detected and a control system supervisor autonomously reconfigures attitude determination. Estimated satellite attitude and angular velocity are used in the attitude controller. Control tasks vary with the mission phase. The salient feature of this system is fault tolerant autonomous operation with a minimum of hardware redundancy. TI An on-line expert system-based fault-tolerant control system. AU Wei Liu (Dept. of Autom., Tangshan Inst. of Technol., Hebei, China) SO Expert Systems with Applications (1996) vol.11, no.1, p.59-64. 15 refs. Doc. No.: S0957-4174(96)00006-1 Published by: Elsevier Price: CCCC 0957-4174/96/$15.00+0.00 CODEN: ESAPEH ISSN: 0957-4174 SICI: 0957-4174(1996)11:1L.59:LESB;1-G DT Journal TC Practical CY United Kingdom LA English AB Expert systems or artificial intelligence have been used successfully in fault diagnosis of the dynamic systems and their suitability for fault-tolerant control problems has also been demonstrated. In this paper an online expert system-based fault-tolerant control system (ESFTC) is considered which allows reconfiguration of the controller in feedback process systems during sensor or actuator failures or misoperation. It forms an online expert system, which consists of an analytical problem solution, a process knowledge base, a knowledge acquisition part and an inference mechanism. TI On the nature of deadlines [real time control systems]. AU Magalhaes, A.P. (Fac. de Engenharia, Porto Univ., Portugal); Rela, M.Z.; Silva, J.G. SO Microprocessors and Microsystems (April 1996) vol.20, no.2, p.79-88. 28 refs. Published by: Elsevier Price: CCCC 0141-9331/96/$15.00 CODEN: MIMID5 ISSN: 0141-9331 SICI: 0141-9331(199604)20:2L.79:NDRT;1-8 DT Journal TC Theoretical CY United Kingdom LA English AB This article discusses the timeliness of real-time control services as seen by control engineering and real-time scientific communities, arguing that computer-controllers must be designed to meet nominal deadlines that, under special circumstances, can be missed as long as hard deadlines are still met It develops a unified approach for establishing the nominal and the hard deadline of a time-critical control service. TI Design of a distributed fault-tolerant computer architecture applied to the traffic control system IVMS. AU Duschnig, E.; Weiss, R. (Inst. fuer Technische Inf., Graz Univ. of Technol., Austria) SO Proceedings. Second International Symposium on Parallel Architectures, Algorithms, and Networks (I-SPAN '96) (Cat. No.96TB100044) Editor(s): Li, G.-J.; Hsu, D.F.; Horiguchi, S.; Maggs, B. Los Alamitos, CA, USA: IEEE Comput. Soc. Press, 1996. p.341-4 of xiii+567 pp. 11 refs. Conference: Beijing, China, 12-14 June 1996 Sponsor(s): Chinese Nat. Res. Center for Intelligent Comput. Syst.; IEEE Comput. Soc.; IEEE Comput. Soc. Tech. Committee on Parallel Process.; Steering Committee of the Chinese Nat. Hi-Tech Programme; Inf. Process. Soc. Japan; Chinese Comput. Federation; IEICE Inf. & Syst. Soc Price: CCCC 1087-4089/96/$5.00 ISBN: 0-8186-7460-1 DT Conference Article TC Application; Practical CY United States LA English AB This paper presents the design of a fault-tolerant computer architecture for the traffic control system IVMS (Intelligent Variable Message Sign). In this project, IVMS stations with point-to-point communication links are to be installed along highways so as to control the traffic flow, yielding homogeneity. The principal design goal is to achieve high system availability at foul cost; the availability is calculated by Markov models. We have found that a distributed IVMS system based on simplex computers without static redundancy, is the most interesting architecture, because it allows degradation. TI Upset detection for closed-loop laboratory HIRF testing of fault tolerant aircraft control computers. AU Belcastro, C.M. (NASA Langley Res. Center, Hampton, VA, USA); Fischl, R. SO 14th DASC Digital Avionics Systems Conference AIAA/IEEE (Cat. No.95CH35873) New York, NY, USA: IEEE, 1995. p.438-47 of 516 pp. 6 refs. Conference: Cambridge, MA, USA, 5-9 Nov 1995 Price: CCCC 0 7803 3050 1/95/$4.00 ISBN: 0-7803-3050-1 DT Conference Article TC Practical; Theoretical; Experimental CY United States LA English AB Verifying integrity of the control computer in adverse operating environments is a key issue in the development, certification, and operation of critical control systems. This paper considers the problem of applying distributed detection techniques and decision fusion to monitoring the integrity of fault tolerant redundant control computers. A strategy is presented for monitoring a dynamic stochastic system for malfunctions or upsets during closed-loop laboratory testing for upset susceptibility due to HIRF. TI Formalising human error resistance and human error tolerance. AU Dearden, A.; Harrison, M. (Dept. of Comput. Sci., York Univ., UK) SO Proceedings. Fifth International Conference on Human-Machine Interaction and Artificial Intelligence in Aerospace. From Operations to Design: Closing the Loop Toulouse, France: Eur. Inst. Cognitive Sci. & Eng.-EURISCO, 1995. p.275-95 of 318 pp. 16 refs. Conference: Toulouse, France, 27-29 Sept 1995 DT Conference Article TC Theoretical CY France LA English AB A key aim of human-machine interface design for aircraft control systems is to prevent pilot errors from jeopardising the safety of the aircraft. In terms of safety engineering designers should seek designs that minimise the risk of human error. To achieve this designers should aim to produce designs for control systems that minimise the probability of human errors occurring, and that minimise the adverse consequences when such errors do occur. We show how, by using formal mathematical models as design representations for aircraft control systems, properties that contribute to the reduction of the risk from human error can be verified at an early stage of the design process. TI 777 Flight Controls validation process. AU Buus, H.; McLees, R.; Orgun, M.; Pasztor, E.; Schultz, L. (Boeing Commercial Airplanes, Seattle, WA, USA) SO 14th DASC Digital Avionics Systems Conference AIAA/IEEE (Cat. No.95CH35873) New York, NY, USA: IEEE, 1995. p.394-402 of 516 pp. 0 refs. Conference: Cambridge, MA, USA, 5-9 Nov 1995 Price: CCCC 0 7803 3050 1/95/$4.00 ISBN: 0-7803-3050-1 DT Conference Article TC Practical CY United States LA English AB The 777 airplane is the first Boeing commercial transport airplane to use a full fly-by-wire Flight Control System. The Primary Flight Control System (PFCS) provides manual airplane control and envelope protection in all axes using conventional pilot controls and control surfaces. Stability augmentation is provided in the pitch and yaw axes. The Autopilot and Flight Director System (AFDS) provides steering guidance for manual flight as well as automatic control of the airplane from takeoff to landing roll-out. The autopilot function of the AFDS provides low weather minimum operation down to CAT IIIB minimums. This paper will summarize the 777 Flight Controls validation process for the Primary Flight Control System and Autopilot Flight Director System. The validation process includes the development of the systems requirements to be validated, the methods by which validation is accomplished, the allocation of requirements to the most appropriate validation method, the means by which traceability of this process is maintained, the problem tracking system feedback to the process, and the organizational management of the process. TI Developing integrated hardware-software reliability models: difficulties and issues [for digital avionics]. AU Boyd, M.A. (Comput. Sci. Div., NASA Ames Res. Center, Moffett Field, CA, USA); Monahan, C.M. SO 14th DASC Digital Avionics Systems Conference AIAA/IEEE (Cat. No.95CH35873) New York, NY, USA: IEEE, 1995. p.193-8 of 516 pp. 25 refs. Conference: Cambridge, MA, USA, 5-9 Nov 1995 Price: CCCC 0 7803 3050 1/95/$4.00 ISBN: 0-7803-3050-1 DT Conference Article TC Theoretical CY United States LA English AB The development of integrated hardware-software system reliability models is very difficult. This paper discusses some of the differences between hardware and software reliability modeling which make integrating them together so hard. It also discusses issues that are unique to each and common to both, and lists open problems that need to resolved. TI Reliability issues for design and test of complex integrated circuits [in avionic systems]. AU Harrison, L.H. (Galaxy Sci. Corp., Egg Harbor Towship, NJ, USA); Saraceni, P.J., Jr. SO 14th DASC Digital Avionics Systems Conference AIAA/IEEE (Cat. No.95CH35873) New York, NY, USA: IEEE, 1995. p.173-7 of 516 pp. 4 refs. Conference: Cambridge, MA, USA, 5-9 Nov 1995 Price: CCCC 0 7803 3050 1/95/$4.00 ISBN: 0-7803-3050-1 DT Conference Article TC Practical CY United States LA English AB This paper introduces the topic, Complex Integrated Circuits, along with some of the certification risks associated with this technology. This work is a partial summary of a technical report prepared for the FAA Technical Center's Airport and Aircraft Safety R&D Branch, Flight Safety Research Section. This paper seeks to highlight some of the problems associated with complex digital hardware used in digital flight control and avionic systems. TI Fault tolerant techniques for a water turbine runner control system. AU Yidong Feng; Guangqiong Zhang (Inst. for Fluid Power Transmission & Control, Zhejiang Univ., Hangzhou, China) SO Proceedings of the IASTED International Conference Reliability Engineering and Its Applications Editor(s): Pham, H. Anaheim, CA, USA: IASTED-ACTA Press, 1994. p.33-6 of 54 pp. 5 refs. Conference: Honolulu, HI, USA, 15-17 Aug 1994 Sponsor(s): IASTED ISBN: 0-88986-192-7 DT Conference Article TC Practical; Theoretical CY United States LA English AB A new hydro-turbine runner control system (HRCS) has been developed to replace the conventional HRCS, which is constructed with mechanical components. The new HRCS is based on the dual STD bus computers and the proportional electrohydraulic valves are characterized with highly reliable fault tolerance. In this system, the fault tolerant techniques such as redundancy, fault detection, recombination, etc. have been applied successfully to achieve high reliability. The hardware structure, fault detection techniques, system rearrangement ability and reliability analysis are described in this paper. TI The Development Framework: work in progress towards a real-time control system design environment. AU Hajji, M.S.; Bass, J.M.; Browne, A.R.; Schroder, P. (Dept. of Autom. Control & Syst. Eng., Sheffield Univ., UK); Croll, P.R.; Fleming, P.J. SO IEE Colloquium on Advances in Computer-Aided Control System Design (Digest No.96/061) London, UK: IEE, 1996. p.4/1-3 of 40 pp. 10 refs. Conference: London, UK, 14 March 1996 DT Conference Article TC Practical CY United Kingdom LA English AB This paper describes work in progress on two extensions to the environment of a Development Framework for the design of control system software; hybrid system design and design of dependable systems. The Development Framework automatically converts a control engineering specification into a parallel implementation. Hybrid control systems are a combination of real-time control law and discrete-state logic. The Framework can be adapted so that it may handle discrete events such as mode switching. A statechart tool, Statemate [i-Logix95], is used to specify and model discrete-state components. TI A distributed safety-critical system for real-time train control. AU Ghosh, A.K.; Rana, V.; Johnson, B.W. (Dept. of Electr. Eng., Virginia Univ., Charlottesville, VA, USA); Profeta, J.A., III SO Proceedings of the 1995 IEEE IECON. 21st International Conference on Industrial Electronics, Control, and Instrumentation (Cat. No.95CH35868) New York, NY, USA: IEEE, 1995. p.760-7 vol.2 of 2 vol. (xlv+xxx+1651) pp. 16 refs. Conference: Orlando, FL, USA, 6-10 Nov 1995 Sponsor(s): Ind. Electron. Soc. IEEE; Soc. Instrum. & Control Eng. Japan Price: CCCC 0 7803 3026 9/95/$4.00 ISBN: 0-7803-3026-9 DT Conference Article TC Application; Practical CY United States LA English AB An architecture and methodology for executing a train control application in an ultra-safe manner is presented in this paper. Prior work in advanced train control systems are summarized along with their assumptions and drawbacks. A flexible architecture that allows fault-tolerant and fail-safe operation is presented for a distributed control system. A safety assurance technique which detects errors in software and hardware for simplex systems is presented in this paper. TI Mechanisms of operating systems supporting fault-tolerance of multicomputer control systems. AU Mamedli, E.M.; Sobolev, N.A. (Inst. of Control Sci., Acad. of Sci., Moscow, Russia) SO Automation and Remote Control (Aug. 1995) vol.56, no.8, pt.1, p.1065-105. 108 refs. Published by: Consultants Bureau Price: CCCC 0005-1179/95/5608-1065$12.50 CODEN: AURCAT ISSN: 0005-1179 SICI (Trl): 0005-1179(199508)56:8:1L.1065:MOSS;1-Z Translation of: Avtomatika i Telemekhanika (Aug. 1995) vol.56, no.8, p.3-63. 108 refs. CODEN: AVTEAI ISSN: 0005-2310 SICI: 0005-2310(199508)56:8L.3;1-O DT Journal; Translation Abstracted TC Bibliography; Practical; Theoretical CY Russian Federation; United States LA English AB Relationships between the methods for control and recovery of computations in fault-tolerant multicomputer control systems are formulated. The impact on fault-tolerance of resource allocation (determinate or random) within the computer system and of particular realization of synchronous interaction between computers executing copies of applications is determined. The design of efficient facilities for control of computations in systems with determinate and random resource allocation is shown to be of a dual nature. Any attempt to realize a general-purpose operating system adjustable to a particular real-time environment is shown, to result inevitably in lower fault-tolerance. TI Hardware and software fault tolerance using fail-silent virtual duplex systems. AU Echtle, K.; Lovric, T. (Fachbereich Inf., Dortmund Univ., Germany) SO Fault-Tolerant Parallel and Distributed Systems (Cat. No.94TH0628-8) Editor(s): Pradhan, D.; Avresky, D. Los Alamitos, CA, USA: IEEE Comput. Soc. Press, 1995. p.10-17 of xv+285 pp. 17 refs. Conference: College Station, TX, USA, 12-14 June 1994 Price: CCCC 0 8186 6807 5/95/$4.00 ISBN: 0-8186-6807-5 DT Conference Article TC Practical CY United States LA English AB Safety-critical systems must detect and tolerate hardware and software faults. The multiple virtual duplex system, the new scheme we propose for application in distributed control systems, efficiently covers both objectives. It comprises design and systematic diversity, time redundancy and a minimal amount of nodes. As a building block we use the virtual duplex system, which executes diverse variants of the software sequentially on a single node. For large control systems we offer two protocol types: the communication overhead can be kept low by a simple protocol, or can be slightly increased to enable a pipeline, leading to a drastic reduction in the required time. TI The design and implementation of multiprocessor-based fault -tolerant cell controller for FMS. AU Xiao Gang; Dou Wenhua (Dept. of Comput. Sci., Changsha Inst. of Technol., Changsha, China) SO Proceedings of the SPIE - The International Society for Optical Engineering (1995) vol.2620, p.387-92. 10 refs. Published by: SPIE-Int. Soc. Opt. Eng Price: CCCC 0 8194 2012 3/95/$6.00 CODEN: PSISDG ISSN: 0277-786X SICI: 0277-786X(1995)2620L.387:DIMB;1-0 Conference: International Conference on Intelligent Manufacturing. Wuhan, China, 14-17 June 1995 Sponsor(s): Nat. Natural Sci. Found.; Huazhong Univ. Sci. & Technol.; SPIE; K.C. Wong Educ. Found DT Conference Article; Journal TC Practical CY United States LA English AB Flexible manufacturing system (FMS) provides many benefits such as: increased machine utilisation, increased productivity, reduced labour, reduced lead time, consistent product quality and so on, but the complexity of the manufacturing control system makes it unreliable. Multiprocessor systems provide high performance and very good environments for fault tolerance and monitoring, so the reliability of the control system for FMS can be greatly improved. YH-MCS is a multiprocessor based cell controller for FMS based on transputers and PCs implemented in China. The paper describes its characteristics and implementation issues on architecture, fault tolerance and fault location. TI Evolving fault tolerant systems. AU Thompson, A. (Sussex Univ., Brighton, UK) SO First International Conference on 'Genetic Algorithms in Engineering Systems: Innovations and Applications' GALESIA (Conf. Publ. No.414) London, UK: IEE, 1995. p.524-9 of xvi+548 pp. 11 refs. Conference: Sheffield, UK, 12-14 Sept 1995 Sponsor(s): IEE DT Conference Article TC Theoretical CY United Kingdom LA English AB The conventional mechanism used to gain fault tolerance is redundancy. In contrast, the paper suggests that artificial evolution can be used to produce systems that are inherently insensitive to faults, with fault tolerance becoming part of the task specification. The possible techniques are investigated, and the study is grounded in a real world evolved electronic control system for a robot. TI Low cost fault tolerant distributed control for fly-by-light systems. AU Morrison, B.D.; Robillard, M.N. (Equipment Div., Raytheon Co., Marlborough, MA, USA) SO Proceedings of the SPIE - The International Society for Optical Engineering (1994) vol.2295, p.46-51. 1 refs. Price: CCCC 0 8194 1619 3/94/$6.00 CODEN: PSISDG ISSN: 0277-786X Conference: Fly-by-Light. San Diego, CA, USA, 27-28 July 1994 Sponsor(s): SPIE DT Conference Article; Journal TC Practical CY United States LA English AB Distributed intelligence, fault tolerance, and fiber optic technology hold significant promise when applied to complex sensor/actuator systems such as those found in primary and secondary flight control systems. This paper outlines the theory of operation and configuration of a fault tolerant distributed control system jointly developed by Raytheon Company and Beech Aircraft Corporation. The system's benefits accrue from the union of fiber optic performance advantages with the low cost of fault-tolerant distributed sensing and control techniques. The initial configuration comprises low-cost fault-tolerant computers which control, monitor and display the functions of two JT15D-5 engines and their thrust reversers across redundant fiber networks. Pilot inputs are transmitted digitally over a redundant fiber optic network using a distributed fault-tolerant processing architecture. In the distributed control-by-light (CBL) system, low-cost intelligent nodes are placed at the site of the sensors, actuators, control inputs, feedback devices, and displays across the entire aircraft. TI Implementation of a digital reactor control and protection system. AU Heyck, H. (Paul Scherrer Inst., Villigen, Switzerland) SO Advanced Control and Instrumentation Systems in Nuclear Power Plants. Design, Verification and Validation. IAEA/IWG/ATWR & NPPCI Technical Committee Meeting (VTT-SYMP-147) Editor(s): Haapanen, P. Espoo, Finland: Tech. Res. Centre of Finland, 1995. p.223-34 of 578 pp. 4 refs. Conference: Espoo, Finland, 20-23 June 1994 DT Conference Article TC Practical CY Finland LA English AB The instrumentation and control and the reactor protection system (RPS) of PSI's swimming pool reactor SAPHIR is retrofitted with a functionally and geographically distributed digital system, on the basis of a currently available system for power plants (PROCONTROL P13/42 from ABB). The integration of the reactor protection functions into the operational control system, not practised in the past, offers advantages compared to the conventional separation between protection and control systems, such as the use of the same type of hardware and software for maintenance, automatic testing and troubleshooting. TI Dependability assessment using binary decision diagrams (BDDs). AU Doyle, S.A. (Dept. of Comput. Sci., Duke Univ., Durham, NC, USA); Dugan, J.B. SO Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers (Cat. No.95CB35823) Los Alamitos, CA, USA: IEEE Comput. Soc. Press, 1995. p.249-58 of xxiii+547 pp. 15 refs. Conference: Pasadena, CA, USA, 27-30 June 1995 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Fault-Tolerant Comput.; LAAS-CNRS, France; Univ. Illinois at Urbana-Champaign; Univ. California at Los Angeles; Jep Propulsion Lab.; IFIP WG 10.4 Price: CCCC 0731-3071/95/$4.00 ISBN: 0-8186-7079-7 DT Conference Article TC Theoretical CY United States LA English AB Presents the DREDD (Dependability and Risk Evaluation using Decision Diagrams) algorithm which incorporates coverage modeling into a BDD solution of a combinatorial model. BDDs, which do not use cutsets to generate system unreliability, can be used to find exact solutions for extremely large systems. The DREDD algorithm takes advantage of the efficiency of the BDD solution approach and increases the accuracy of a combinatorial model by including consideration of imperfect coverage. The usefulness of combinatorial models, long appreciated for their logical structure and concise representational form, is extended to include many fault-tolerant systems previously thought to require more complicated analysis techniques in order to include coverage modeling. In this paper, the DREDD approach is presented and applied to the analysis of two sample systems, the F18 flight control system and a fault-tolerant multistage interconnection network. TI Design and analysis of a fault-tolerant supervisory control station using dual computers. AU Yan-Chang Chen; Tai-Jee Pan (Dept. of Comput. Sci. & Eng., Tatung Inst. of Technol., Taipei, Taiwan) SO 1994 International Computer Symposium Conference Proceedings Hsinchu, Taiwan: Nat. Chiao Tung Univ, 1994. p.25-30 vol.1 of 2 vol. xvi+1310 pp. 11 refs. Conference: Hsinchu, Taiwan, 12-15 Dec 1994 Sponsor(s): Ministr. Educ.; Comput. Soc DT Conference Article TC Practical CY Taiwan, Province of China LA English AB Presents the design of a redundant supervisory control station using networked computers. The design focuses on the development of a model that represents the interaction between the master and the standby computers; this interaction ensures continuing operation and facilitates a recovery process in case of system failure. The design system is analyzed by Petri-net theory to verify non-stop execution ability. TI Comparing control systems reliability- architecture, diagnostics, and common cause. AU Bukowski, J.V. (Dept. of Electr. Eng., Villanova Univ., PA, USA); Goble, W.M. SO Proceedings of the Industrial Computing Conference. ICS/94 Research Triangle Park, NC, USA: ISA, 1994. p.399-407 of xiii+410 pp. 7 refs. Conference: Anaheim, CA, USA, 23-28 Oct 1994 Price: CCCC 1058-8655/94/399-407/$0+.50pp DT Conference Article TC Practical CY United States LA English AB Several aspects of system design are critical to high reliability/high safety systems. The primary aspects are online diagnostic coverage, susceptibility to common cause stress, and system architecture. This paper compares three control system architectures and shows how reliability and safety vary with diagnostics and common cause susceptibility. TI Scheduling strategies for periodic tasks to avoid timing faults in critical control systems. AU Chetto, H. (Nantes Univ., France); Silly, M. SO Automatic Control. World Congress 1993. Proceedings of the 12th Triennial World Congress of the International Federation of Automatic Control. Vol.2. Robust Control, Design and Software Editor(s): Goodwin, G.C.; Evans, R.J. Oxford, UK: Pergamon, 1994. p.725-8 of xviii+848 pp. 7 refs. Conference: Sydney, NSW, Australia, 18-23 July 1993 Sponsor(s): IFAC; IMACS; IFIP; IFORS; Int. Meas. Confederation ISBN: 0-08-042213-6 DT Conference Article TC Practical; Theoretical CY United Kingdom LA English AB A key issue in the design of a real-time system is to determine an appropriate fault-tolerant mechanism so that the occurrence of any erroneous state does not result in a timing failure (i.e. deadline missing). In this paper, the deadline mechanism, which is a variation of the recovery block scheme is used to support timing and software fault-tolerance. We show how it can be easily implemented in a uniprocessor machine through an scheduling strategy which provides predictability and adaptivity. TI A proposal for error-tolerating codes. AU Matsubara, T.; Koga, Y. (Dept. of Comput. Sci., Nat. Defense Acad., Yokosuka, Japan) SO Digest of Papers FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing Los Alamitos, CA, USA: IEEE Comput. Soc. Press, Aug. 1993. p.130-6 of xxii+685 pp. 3 refs. Conference: Toulouse, France, 22-24 June 1993 Sponsor(s): IEEE Price: CCCC 0731-3071/93/$3.00 ISBN: 0-8186-3680-7 DT Conference Article TC Application; Practical CY United States LA English AB An extended concept of error-tolerating codes is presented and some examples of error-tolerating codes are introduced. An erroneous codeword of the proposed error-tolerating code may occur in the codespace; however, in this case, the erroneous codeword is required to be in a defined neighborhood of the original codeword. When no error is detected in a word, the word may differ from the original codeword, but it is trustworthy and can be used in a system without any error-correction or error-recovery procedures. An error-tolerating code is presented as an example. This code can be used for to implement analog-to-digital converting devices which are useful for dependable high-speed real-time control systems. TI The reliability assessment of the control and instrumentation systems for Sizewell B. AU Orme, S. SO Thermal Reactor Safety Assessment. Proceedings of the Conference London, UK: British Nucl. Energy Soc, 1994. p.1-8 of 264 pp. 4 refs. Conference: Manchester, UK, 23-26 May 1994 Sponsor(s): ANS; Atomic Energy Soc. Japan; British Nucl. Forum; Eur. Nucl. Soc.; et al ISBN: 0-7277-1993-9 DT Conference Article TC Practical CY United Kingdom LA English AB The Control and Instrumentation (C and I) systems for a nuclear power station must be shown to meet the system requirements set down for them at the beginning of the design phase. These system requirements include the targets for the reliability to be achieved by the systems. It is necessary to show that the systems meet the reliability targets in order to support the assumptions made in the station safety analysis. The purpose of this paper is to describe the work that has been performed by the various organisations to assess the hardware reliability of some of the key C and I systems for Sizewell B. TI Built-in diagnostics for advanced power management. AU Darty, M. (McDonnell Douglas Aerosp., Huntsville, AL, USA); Li Pi Su; Bosco, C. SO Conference Proceedings. AUTOTESTCON '94. IEEE Systems Readiness Technology Conference. 'Cost Effective Support Into the Next Century' (Cat. No.94CH3436-3) New York, NY, USA: IEEE, 1994. p.399-407 of xxxv+763 pp. 2 refs. Conference: Anaheim, CA, USA, 20-22 Sept 1994 Sponsor(s): IEEE Instrum. & Meas. Soc.; IEEE Aerosp. & Electron. Syst. Soc.; IEEE Los Angeles Council Price: CCCC 0 7803 1910 9/94/$3.00 ISBN: 0-7803-1910-9 DT Conference Article TC Practical CY United States LA English AB The Army's Diagnostic Analysis and Repair Tool Set (DARTS) is an advanced software product used to perform automated fault diagnostics that results in reduced logistics costs, decreased downtime and enhanced mission performance. DARTS enabled automated, knowledge based fault diagnostics to be embedded in the Advanced Modular Power Control System (AMPCS). AMPCS is an integrated hardware and software product for aerospace power management. DARTS was used in a concurrent engineering design environment as a computer aided engineering tool to optimize the fault detection and fault isolation characteristics of the AMPCS prototype design. TI Dynamic reallocation of processes and system dimensioning in fault-tolerant control systems. AU Piuri, V. (Dept. of Electron. & Inf., Politecnico di Milano, Italy) SO Conference Record IMTC/93 New York, NY, USA: IEEE, May 1993. p.752-7 of xxvi + 793 pp. 11 refs. Conference: Irvine, CA, USA, 18-20 May 1993 Sponsor(s): IEEE Price: CCCC 0-7803-1229-5/93/$3.00 ISBN: 0-7803-1229-5 DT Conference Article TC Practical; Experimental CY United States LA English AB The author considers the problem of the dynamic reallocation of the computation, so that a higher number of faults can be tolerated, possibly with degraded performance and functionalities at low costs. The computation is modeled by using concurrent communicating processes, while the hardware structure considers multiprocessor distributed systems. The stochastic evaluation of the software performance is concerned with the capabilities of dealing with external events within a given maximum time. The hardware dimensioning is optimized at the same time as the software allocation. Redundant hardware resources are introduced to take into account the additional requirements of the spare processes. TI The design of fault tolerant, high-performance control systems. AU Tyrrell, A.M. (Dept. of Electron., York Univ., UK) SO IEE Colloquium on 'High Performance Computing for Advanced Control' (Digest No.1994/241) London, UK: IEE, 1994. p.5/1-4 of 36 pp. 6 refs. Conference: London, UK, 8 Dec 1994 Sponsor(s): IEE DT Conference Article TC Practical CY United Kingdom LA English AB There are a number of additional difficulties when designing fault-tolerance into parallel systems compared with the design of sequential systems. In addition to the problems associated with single processor system design, such as error detection and system recovery, parallel system designs must also consider error confinement, communication faults, distributed placement of fault-tolerant mechanisms and coordination of error detection and system recovery. The complexity of parallel and distributed systems puts considerable emphasis on a system designer if systems are to be resilient to faults The paper considers work performed that is designed to deal with some of these problems in an attempt to make parallel and distributed systems both efficient and fault-tolerant-the goal for designing all such systems. TI EPICS communication loss management. AU Hill, J.O. (Los Alamos Nat. Lab., NM, USA) SO Nuclear Instruments & Methods in Physics Research, Section A (Accelerators, Spectrometers, Detectors and Associated Equipment) (15 Dec. 1994) vol.352, no.1-2, p.218-20. 2 refs. Price: CCCC 0168-9002/94/$07.00 CODEN: NIMAER ISSN: 0168-9002 Conference: Third International Conference on Accelerator and Large Experimental Physics Control Systems. Berlin, Germany, 18-23 Oct 1993 DT Conference Article; Journal TC Practical CY Netherlands LA English AB A robust distributed control system should properly respond to temporary loss of communication with any portion of the system. This temporary loss could be caused by hardware or software failures or it could be caused by reconfiguring or rebooting other portions of the system. For the Experimental Physics and Industrial Control System we have handled these temporary outages consistently and reliably. This capability makes it possible for distributed functions such as loop closure, sequencing, archiving, or operator consoles to take proper action at the beginning and end of the loss of communication with another part of the system. The control system continues to function in a degraded mode while some of its subsystems are not responding and resumes normal operation once a subsystem is restored. TI A solution to an automotive control system benchmark. AU Kopetz, H. (Wien Univ., Austria) SO Proceedings. Real-Time Systems Symposium (Cat. No.94CH35728) Los Alamitos, CA, USA: IEEE Comput. Soc. Press, 1994. p.154-8 of x+299 pp. 11 refs. Conference: San Juan, Puerto Rico, 7-9 Dec 1994 Sponsor(s): IEEE Comput. Soc. Tech. Committee on Real-Time Syst Price: CCCC 1052-8725/94/$04.00 ISBN: 0-8186-6600-5 DT Conference Article TC Practical CY United States LA English AB The Society of Automotive Engineers (SAE) has recently published a set of requirements and a control benchmark which is able to compare the effectiveness of new protocol proposals for safety-critical automotive systems. This paper presents a solution to this benchmark problem that is based on the Time Triggered Protocol (TTP). TTP integrates all services required for the implementation of fault-tolerant hard real-time systems, while trying to minimize the bandwidth requirements. TI Fault tolerance in supervisory control systems: a knowledge-based approach. AU Askounis, D.T.; Assimakopoulos, V.; Psarras, J. (Dept. of Electr. Eng., Nat. Tech. Univ. of Athens, Greece) SO Journal of Intelligent Manufacturing (Oct. 1994) vol.5, no.5, p.323-31. 13 refs. CODEN: JIMNEM ISSN: 0956-5515 DT Journal TC Theoretical CY United Kingdom LA English AB Existing fault tolerance approaches, wherever used, deal mainly with hardware faults. Nevertheless, the vast majority of contemporary system failures are software related. This paper introduces a knowledge-based approach to handling software related faults occurring in supervisory control systems. These systems are event driven and use data, stored in complex databases, to react to events coming from different kinds of devices by identifying, scheduling, initiating and monitoring operations. Failure of part of the supervisory control system's software to behave rationally when unexpected events occur is called an application fault. The approach introduced in this paper is based on a supervisory control system reference model which reveals the set of all possible application faults together with the major functions of the recovery processes associated with each fault, and leads to a high-level knowledge-based system architecture capable of handling every fault-related condition. This system is called PROFIT (Intelligent PROduction systems Fault Tolerance) and consists of three main components: the fault diagnosis module, the instant fault correction module and the learning module, co-ordinated by a PROFIT meta-level module. TI A fuzzy logic supervisor for reconfigurable flight control systems. AU Copeland, R.P.; Rattan, K.S. (Dept. of Electr. Eng., Wright State Univ., Dayton, OH, USA) SO Proceedings of the IEEE 1994 National Aerospace and Electronics Conference NAECON 1994 (Cat. No.94CH3431-4) New York, NY, USA: IEEE, 1994. p.579-86 vol.1 of 2 vol. xviii+1346 pp. 10 refs. Conference: Dayton, OH, USA, 23-27 May 1994 Sponsor(s): Dayton Sect. IEEE; Aerosp. & Electron. Syst. Soc. IEEE Price: CCCC CH3431-4/94/0000-0579$1.00 ISBN: 0-7803-1893-5 DT Conference Article TC Practical; Theoretical; Experimental CY United States LA English AB The design of a fuzzy logic supervisor for a reconfigurable flight control law is described in this paper. The objective of the supervisor is to maintain the original performance of the aircraft after effector failure by adjusting the gains of the existing control law. In this design the pitch axis control of the unmanned research vehicle was selected as the test platform. The set of fuzzy rules obtained ensures the even distribution of control authority to the remaining healthy effecters. A comparison of the reconfigured aircraft response with and without the fuzzy logic supervisor is presented. Simulation results show an improvement in the reconfigured response using a fuzzy logic supervisor. TI Failure sensitivity and robustness in reconfigurable flight control systems. AU Wu, N.E.; Tijian Chen (Binghamton Univ., NY, USA) SO Proceedings of the IEEE 1994 National Aerospace and Electronics Conference NAECON 1994 (Cat. No.94CH3431-4) New York, NY, USA: IEEE, 1994. p.548-55 vol.1 of 2 vol. xviii+1346 pp. 22 refs. Conference: Dayton, OH, USA, 23-27 May 1994 Sponsor(s): Dayton Sect. IEEE; Aerosp. & Electron. Syst. Soc. IEEE Price: CCCC CH3431-4/94/0000-0548$1.00 ISBN: 0-7803-1893-5 DT Conference Article TC Theoretical CY United States LA English AB This paper is concerned with the design of reconfigurable flight control systems furnished with aerodynamic redundancy. Our focus is directed towards dealing with the aircraft surface impairment such as locked, float, or missing surfaces. We propose a control design criterion that facilitates the detection of failures without compromising the required performance robustness. Details are carried out for the design of the pitch axis controller of an experimental highly maneuverable aircraft, where redundancy in the control authority is provided by both the elevens and the canards. The design effort is focused on the selection of controllers that can differentiate their effects on failures that require a control reconfiguration from the effects on other uncertainties that do not require a control reconfiguration. TI Conceptual design of test aides for flight critical control systems. AU Houchard, J.H. (Frontier Technol. Inc., Beavercreek, OH, USA) SO Proceedings of the IEEE 1994 National Aerospace and Electronics Conference NAECON 1994 (Cat. No.94CH3431-4) New York, NY, USA: IEEE, 1994. p.911-18 vol.2 of 2 vol. xviii+1346 pp. 0 refs. Conference: Dayton, OH, USA, 23-27 May 1994 Sponsor(s): Dayton Sect. IEEE; Aerosp. & Electron. Syst. Soc. IEEE Price: CCCC CH3431-4/94/0000-0911$1.00 ISBN: 0-7803-1893-5 DT Conference Article TC Practical CY United States LA English AB This paper describes the conceptual design of a suite of tools that will aid and/or automate various aspects of the control system verification and validation process. The suite provides for the definition of system data, generation of test procedures, and semi-automated test execution and evaluation. One element of this long-range vision, the Test Procedure Generator, is in the early stages of development under NASA's Small Business Innovative Research program. The TPG supports testing at the component, subsystem and complete system levels. It accepts system design data, including component and interface layout, as well as detailed component behavioral specifications defined using functional block diagrams. TI Dependable computing for railway control systems. AU Mongardi, G. (ANSALDO Transport, Genova, Italy) SO Dependable Computing for Critical Applications 3 Editor(s): Landwher, C.E.; Randell, B.; Simoncini, L. Wien, Austria: Springer-Verlag, 1993. p.255-77 of xii+381 pp. 13 refs. Conference: Mondello, Italy, 14-16 Sept 1992 Sponsor(s): IFIP ISBN: 3-211-82481-2 DT Conference Article TC Practical CY Austria LA English AB The paper deals with a dependable microprocessor system applied to control equipment and train movements in a railway station. First, application general requirements are outlined and basic principles and adopted techniques for dependability are shown; hardware and software vital architecture are described. Then some details about application specific features are given, in order to present a suitable software verification and validation environment and to explain procedures and tools for system design. Some hints about first installations and relevant results are also given. TI Control reconfiguration in the presence of software failures. AU Bodson, M. (Dept. of Electr. & Comput. Eng., Carnegie Mellon Univ., Pittsburgh, PA, USA); Lehoczky, J.; Rajkumar, R.; Sha, L.; Soh, D.; Smith, M.; Stephan, J. SO Proceedings of the 32nd IEEE Conference on Decision and Control (Cat. No.93CH3307-6) New York, NY, USA: IEEE, 1993. p.2284-9 vol.3 of 4 vol. 66+3898 pp. 14 refs. Conference: San Antonio, TX, USA, 15-17 Dec 1993 Sponsor(s): IEEE Control Syst. Soc Price: CCCC 0191-2216/93/$3.00 ISBN: 0-7803-1298-8 DT Conference Article TC Practical; Theoretical CY United States LA English AB In this paper, we discuss a special approach for software fault tolerance in control applications. A full-function, high-performance, but complex control system is complemented by an error-free implementation of a highly reliable control system of lower functionality. When the correctness of the high-performance controller is in doubt, the reliable control system takes over the execution of the task. An innovative feature of the approach is the disparity between the two control systems, which is used to exploit the relative advantages of the simple/reliable vs. complex/high-performance systems. Another innovative feature is the fault detection mechanism, which is based on measures of performance and of safety of the control system. TI Design of fault-tolerant distributed control systems. AU Piuri, V. (Dept. of Electron. & Inf., Politecnico di Milano, Italy) SO IEEE Transactions on Instrumentation and Measurement (April 1994) vol.43, no.2, p.257-64. 11 refs. Price: CCCC 0018-9456/94/$4.00 CODEN: IEIMAO ISSN: 0018-9456 Conference: 10th Annual IEEE Instrumentation and Measurement Technology Conference - IMTC '93. Irvine, CA, USA, 18-20 May 1993 DT Conference Article; Journal TC Theoretical; Experimental CY United States LA English AB In this paper, hardware dimensioning, the optimum allocation of the computation, and the fault-tolerance issues are afforded contemporaneously, with specific attention to the design of dedicated distributed control systems. A single optimization frame is defined to identify a globally optimum solution with respect to these conflicting goals. TI Reliability analysis of the X-29A flight control system software. AU Davis, G.J. (NASA Ames Res. Center, Moffett Field, CA, USA); Earls, M.R.; Patterson-Hine, F.A. SO Journal of Computer and Software Engineering (1993) vol.1, no.4, p.325-48. 8 refs. CODEN: JCOSE5 ISSN: 1069-5451 DT Journal TC Application; Practical CY United States LA English AB Software reliability measurements of safety-critical software systems are not well understood. In particular, a significant part of the testing of flight control software for high performance aircraft is performed in full-up systems tests, so the applicability of models developed for pure software systems is unknown. In this study, data from flight tests of the X-29A forward-swept wing aircraft, performed at NASA's Dryden Flight Research Facility, are analyzed with the Statistical Modeling and Estimation of Reliability Functions for Software (SMERFS) modeling package. Results from this analysis are presented following a description of the data collection and documentation process utilized by the X-29 program. These results are used to assess the applicability of these models and their prediction capabilities in a flight test environment. TI Fault tolerant design for field control stations. AU Matsuda, T.; Sogo, S.; Sano, H.; Hamaza, M. SO Yokogawa Technical Report (English Edition) (May 1994) no.18, p.10-13. 0 refs. CODEN: YTREEO ISSN: 0911-8977 DT Journal TC Practical CY Japan LA English AB This paper describes the fault-tolerant design of the duplexed (dual-redundant) field control station in the CENTUM CS system. The design features enhanced error detection functions, and minimal interruption to control when switching between active and standby processors. TI VOTRICS: a highly predictable fault tolerant system architecture. AU Appel, B. (ELIN Res. Centre, Alcatel Austria AG, Wien, Austria) SO Real Time Computing. Proceedings of the NATO Advanced Study Institute Editor(s): Halang, W.A.; Stoyenko, A.D. Berlin, Germany: Springer-Verlag, 1994. p.630-1 of xxii+762 pp. 0 refs. Conference: Sint Maarten, Dutch Antilles, 5-17 Oct 1992 ISBN: 3-540-57558-8 DT Conference Article TC Practical CY Germany LA English AB VOTRICS is it fault-tolerant system architecture intended to provide a variety of control systems with high availability and reliability. VOTRICS provides message-passing services between actively replicated components. Event-triggered applications in loosely- as well as tightly-coupled computer systems are supported. TI The impact of real-time on the fault-tolerant distributed RDC-System. AU Bonn, G. (Fraunhofer-Inst. fur Inf.- und Datenverarbeitung, Karlsruhe, Germany) SO Real Time Computing. Proceedings of the NATO Advanced Study Institute Editor(s): Halang, W.A.; Stoyenko, A.D. Berlin, Germany: Springer-Verlag, 1994. p.536-8 of xxii+762 pp. 0 refs. Conference: Sint Maarten, Dutch Antilles, 5-17 Oct 1992 ISBN: 3-540-57558-8 DT Conference Article TC Application; Practical CY Germany LA English AB The RDC-System (Really Distributed Computer Control System) developed by IITB has been successfully applied in many industrial automation projects. It provides distributed fault-tolerance and is based on a redundant fibre optical network. The application programs are highly real-time sensitive and are written in PEARL with extensions for distribution and fault-tolerance support. This paper gives a short outline of the main characteristics of RDC with respect to real-time, fault-tolerance and distribution, and summarizes some lessons learnt from the multiple industrial applications in steel production and car manufacturing. TI Safety licensing and formal correctness of high integrity embedded systems. AU Cullyer, J. (Dept. of Eng., Warwick Univ., Coventry, UK) SO Real Time Computing. Proceedings of the NATO Advanced Study Institute Editor(s): Halang, W.A.; Stoyenko, A.D. Berlin, Germany: Springer-Verlag, 1994. p.161-85 of xxii+762 pp. 22 refs. Conference: Sint Maarten, Dutch Antilles, 5-17 Oct 1992 ISBN: 3-540-57558-8 DT Conference Article TC Theoretical CY Germany LA English AB This paper describes techniques for applying formal mathematical methods to the specification and design of high integrity embedded control systems which are implemented using microprocessors and real-time software. The techniques described in this paper are intended to provide a practical route for the development of highly critical systems. By combining the specification language Higher Order Logic (HOL) with the disciplined use of annotated subsets of the computer programming languages such as Ada, a framework has been developed for the development of the operational software for practical safety-critical equipment. TI Dependable flight control system using data diversity with error recovery. AU Christmansson, J.; Kalbarczyk, Z.; Torin, J. (Lab. for Dependable Computing, Chalmers Univ. of Technol., Goteborg, Sweden) SO Computer Systems Science and Engineering (April 1994) vol.9, no.2, p.142-50. 18 refs. CODEN: CSSEEI ISSN: 0267-6192 Conference: Pacific Rim Fault Tolerant Computing (PRFTC) Conference. Melbourne, Vic., Australia, 16-17 Dec 1993 DT Conference Article; Journal TC Practical CY United Kingdom LA English AB Presents a method for the tolerance of software design faults in a flight control system, based on a distributed periodic system in which the processing is performed in nodes. Tasks should be allocated and executed in parallel on different hardware channels with the same copy of programs (no design diversity), although under slightly different conditions (data diversity). A simulation-based fault injection experiment demonstrated that the proposed approach can considerably improve the fault tolerance capabilities of a system as compared with the traditional design. TI A prototype framework of tools for the design of real-time distributed control software. AU Bass, J.M.; Browne, A.R.; Croll, P.R.; Fleming, P.J. (Sheffield Univ., UK) SO International Conference on Control '94 (Conf. Publ. No.389) London, UK: IEE, 1994. p.922-7 vol.2 of 2 vol. xl+1594 pp. 11 refs. Conference: Coventry, UK, 21-24 March 1994 ISBN: 0-85296-611-3 DT Conference Article TC Practical CY United Kingdom LA English AB A prototype framework of software tools for the design of distributed real-time control system software is described here. The tools provide a highly transparent transformation from a specification to an implementation. The specification is in a familiar control engineering notation and can be simulated to ensure correct functional behaviour. The translation to an executable form is made via a software engineering model of the system. Two optimisations that can be performed on the software engineering model to improve the reliability and performance of the distributed system under development are described. As an example the framework is used to implement a linearised continuous-time roll-yaw-pitch autopilot and airframe model. TI Simulation modeling for long duration spacecraft control systems. AU Boyd, M.A. (Div. of Inf. Sci., NASA Ames Res. Center, Moffett Field, CA, USA); Bavuso, S.J. SO Annual Reliability and Maintainability Symposium. 1993 Proceedings (Cat. No.93CH3257-3) New York, NY, USA: IEEE, 1993. p.106-13 of xx+103 pp. 20 refs. Conference: Atlanta, GA, USA, 26-28 Jan 1993 Sponsor(s): IEEE; AIAA; IES; SAE; SRE; IIE; SOLE; American Soc. Quality Control; Syst. Safety Soc Price: CCCC 0149-144X/93/$3.00 ISBN: 0-7803-0943-X DT Conference Article TC Application CY United States LA English AB The authors describe the use of simulation and contrast it with analytical solution techniques for evaluation of analytical reliability models. They discuss the role of importance sampling in simulation of models of this type. They demonstrate the use of the simulator tool by applying it to a fault-tolerant hypercube multiprocessor intended for spacecraft designed for long-duration missions. The reliability analysis is used to highlight the advantages and disadvantages offered by simulation compared with analytical solution of Markovian and non-Markovian reliability models. Results show a substantial improvement indicating that a candidate architecture that would otherwise be considered inadequate could provide acceptable reliability after all. TI Fault-tolerant realization of a fuzzy control system. AU Ito, H.; Matsubara, T.; Kurokawa, T.; Koga, Y. (Dept. of Comput. Sci., Nat. Defense Acad., Yokosuka, Japan) SO Systems and Computers in Japan (1993) vol.24, no.10, p.28-36. 7 refs. Price: CCCC 0882-1666/93/0010-0028 CODEN: SCJAEP ISSN: 0882-1666 DT Journal TC Practical CY United States LA English AB Fuzzy systems are generally considered to be fault-tolerant. However, as yet, there has been no distinct study on the fault tolerance of fuzzy control systems. In this paper, the effect of errors by fuzzy control systems on output is examined using simulations, and it is proved that the result cannot be ignored. Also, a fault-detection method for errors is proposed, as fault detection functions are not applied at present to fuzzy control systems. TI Reliability evaluation of fly-by-wire computer systems. AU Dugan, J.B.; Van Buren, R. (Dept. of Comput. Sci. & Electr. Eng., Duke Univ., Durham, NC, USA) SO Journal of Systems and Software (April 1994) vol.25, no.1, p.109-20. 23 refs. Price: CCCC 0164-1212/94/$7.00 CODEN: JSSODM ISSN: 0164-1212 DT Journal TC Practical; Theoretical CY United States LA English AB In this article, a combination of fault trees and Markov models are used to provide an integrated analysis of a portion of the flight control systems used on the Airbus A310 and A320 aircraft. The goal of the analysis is to determine the reliability of each system, that is, the time-dependent probability of producing an acceptable result. An unacceptable output can be the result of hardware or software faults that are not tolerated by the level of redundancy provided. TI Dependable flight control system by data diversity and self-checking components. AU Christmansson, J.; Kalbarczyk, Z.; Torin, J. (Lab. for Dependable Comput., Chalmers Univ. of Technol., Goteborg, Sweden) SO Microprocessing & Microprogramming (April 1994) vol.40, no.2-3, p.207-22. 21 refs. Price: CCCC 0165-6074/94/$7.00 CODEN: MMICDT ISSN: 0165-6074 DT Journal TC Practical; Theoretical CY Netherlands LA English AB Proposes a principle for the tolerance of software design faults in a Flight Control System. The system is considered on two levels: (i) the entire system in which N-copy programming is applied, and (ii) the individual Guidance and Navigation Computer (GNC), which is a self-checking component. The performances of data diversity (N-copy programming) and the traditional design without diversity (multiple computation) were compared in an experiment using fault injection with a method based on mutation testing. The best performances for N-copy programming and multiple computation were 95.5% and 66.6% correct results, respectively. However, the reliability improvement introduced by the N-copy programming is application-specific. The N-copy programming alone is not likely to fulfil the safety requirements and therefore each GNC of the flight control system is regarded as a self-checking component. A pessimistic and an optimistic analytical estimation of the enhancement introduced to each GNC by the self-checking component showed that the MTTF (Mean Time To Failure) increased by two times and nine times, respectively. TI Survivable LANs for distributed control systems. AU Cooling, J.E. (Dept. of Electron. & Electr. Eng., Loughborough Univ. of Technol., UK) SO Computer Communications (May 1994) vol.17, no.5, p.317-31. 34 refs. Price: CCCC 0140-3664/94/050317-15$10.00 CODEN: COCOD7 ISSN: 0140-3664 DT Journal TC Practical CY United Kingdom LA English AB This paper discusses the need for, and methods of achieving, survivability in distributed control system networks. It is applicable to areas such as avionics, marine systems and industrial plants. Basic survival strategies are discussed in the context of specific network topologies, with emphasis on system design aspects. The strengths and weaknesses of the various approaches are discussed, together with the requirements and constraints of practical systems. Based on these, a general template for a survivable LAN is defined, accompanied by a set of recommendations for implementing specific survivability features. TI Design of a transputer-based fault tolerant control system using analytical redundancy. AU Sinha, P.K.; Zhou, F.B.; Mutib, K. (Dept. of Eng., Reading Univ., UK) SO Transputer Applications and Systems '93. Proceedings of the 1993 World Transputer Congress Editor(s): Grebe, R.; Hektor, J.; Hilton, S.C.; Jane, M.R.; Welch, P.H. Amsterdam, Netherlands: IOS Press, 1993. p.134-41 of 1317 pp. 6 refs. Conference: Aachen, Germany, 20-22 Sept 1993 DT Conference Article TC Experimental CY Netherlands LA English AB This paper presents some new experimental results on fault detection and isolation (FDI) using a transputer-controlled electromagnetic suspension system, which is a nonlinear system that is unstable in open-loop. It requires at least air gap (position) feedback for stability. To provide an adequate level of damping, vertical velocity feedback is also included. Because of the need for feedback for stability, the reliability of the sensor (instrument) operation is critical. However, for operational reasons, it is not practical to have multiple redundancy and voting techniques. Use of analytical redundancy provides an ideal basis for the improvement of the operational reliability of all sensors (typically air gap sensors and vertical accelerometers). TI A fault-masking and transient-recovery model for digital flight-control systems. AU Rushby, J. (Comput. Sci. Lab., SRI Int., Menlo Park, CA, USA) SO Formal techniques in real-time and fault-tolerant systems Editor(s): Vytopil, J. Norwell, MA, USA: Kluwer Academic Publishers, 1993. p.109-36 of xi+208 pp. 26 refs. ISBN: 0-7923-9332-5 DT Book Article TC Theoretical CY United States LA English AB The author presents a formal model for fault-masking and transient-recovery among the replicated computers of digital flight-control systems. He establishes conditions under which majority voting causes the same commands to be sent to the actuators as those that would be sent by a single computer that suffers no failures. The model and its analysis have been subjected to formal specification and mechanically checked verification using the EHDM system. TI Triple redundant control becomes more affordable. AU Blickley, G.J. (Control Eng., Hoofddorp, Netherlands) SO Control Engineering (Sept. 1993) vol.40, no.10, p.95-6. 0 refs. CODEN: CENGAX ISSN: 0010-8049 DT Journal TC Practical CY United States LA English AB Triconex Corp. has found the following markets that can bear the overhead of a TMR configuration: emergency shutdown systems; burner management systems; turbine control systems; and critical process control loops. The article discusses various technical developments in such systems, and in particular system integrity diagnostics and communication capabilities. TI Reliable control of chemical processes with a supervisory knowledge-based system. AU Basila, M.R.; Cinar, A. (Dept. of Chem. Eng., Illinois Inst. of Technol., Chicago, IL, USA) SO Dynamics and Control of Chemical Reactors Distillation Columns and Batch Processes (DYCORD+'92). Selected Papers from the 3rd IFAC Symposium Editor(s): Balchen, J.G. Oxford, UK: Pergamon Press, 1993. p.155-60 of xii+371 pp. 22 refs. Conference: College Park, MD, USA, 26-29 April 1992 Sponsor(s): IFAC ISBN: 0-08-041711-6 DT Conference Article TC Application CY United Kingdom LA English AB The application of a supervisory knowledge-based system (KBS) to provide fault tolerant control of a chemical reaction process is examined. The supervisory KBS is capable of monitoring the process to detect process and control system faults of deteriorating control system performance due to changes in the process behavior or operating conditions. If a fault or untoward change in performance is detected, the KBS formulates and implements the necessary corrective action. The paper focuses on two important types of remedial action: control loop tuning and automatic restructuring of the control system configuration. TI Performance evaluation of rollback-recovery techniques in computer programs. AU Ranganathan, A.; Upadhyaya, S.J. (State Univ. of New York, Buffalo, NY, USA) SO IEEE Transactions on Reliability (June 1993) vol.42, no.2, p.220-6. 23 refs. Price: CCCC 0018-9529/93/$3.00 CODEN: IERQAD ISSN: 0018-9529 DT Journal TC Theoretical CY United States LA English AB Rollback in process control systems is generally constrained by deadlines, thereby requiring a dynamic insertion of rollback points. This is in contrast to rollback recovery in database systems in which rollback points are inserted at equidistant intervals. A simple model based on a semi-Markov process is developed to study the performance of rollback recovery strategies. TI Formal verification of algorithms for critical systems. AU Rushby, J.M. (SRI Int., Menlo Park, CA, USA); von Henke, F. SO IEEE Transactions on Software Engineering (Jan. 1993) vol.19, no.1, p.13-23. 36 refs. Price: CCCC 0098-5589/93/$03.00 CODEN: IESEDJ ISSN: 0098-5589 DT Journal TC Practical CY United States LA English AB The authors describe their experience with formal, machine-checked verification of algorithms for critical applications, concentrating on a Byzantine fault-tolerant algorithm for synchronizing the clocks in the replicated computers of a digital flight control system. The problems encountered in unsynchronized systems and the necessity, and criticality, of fault-tolerant synchronization are described. An overview of one such algorithm and of the arguments for its correctness are given. A verification of the algorithm performed using the authors' EHDM system for formal specification and verification is described. The errors found in the published analysis of the algorithm and benefits derived from the verification are indicated. Based on their experience, the authors derive some key requirements for a formal specification and verification system adequate to the task of verifying algorithms of the type considered. TI Operational failure experience of fault-tolerant digital control systems. AU Paula, H.M.; Roberts, M.W. (JBF Associates Inc., Knoxville, TN, USA); Battle, R.E. SO Reliability Engineering & System Safety (1993) vol.39, no.3, p.273-89. 15 refs. Price: CCCC 0951-8320/93/$06.00 CODEN: RESSEP ISSN: 0951-8320 DT Journal TC Practical CY United Kingdom LA English AB The authors discuss the reliability performance of Fault-tolerant digital control systems (F-T DCSs), including a presentation of actual failure experience from 20 different computer system installations. Particular emphasis is given to identifying major contributors to system unreliability and comparing different types of F-T DCS architectures.